Systems for network risk assessment including processing of user access rights associated with a network of devices

ABSTRACT

Methods, systems, and apparatus, including computer programs encoded on computer storage media, for network risk assessment. One of the methods includes obtaining information describing network traffic between a plurality of network devices within a network. A network topology of the network is determined based on the information describing network traffic, with the network topology including nodes connected by an edge to one or more other nodes, and with each node being associated with one or more network devices. Indications of user access rights of users are associated to respective nodes included in the network topology. User interface data associated with the network topology is generated.

CROSS-REFERENCE TO RELATED APPLICATIONS

Any and all applications for which a foreign or domestic priority claimis identified in the Application Data Sheet as filed with the presentapplication are hereby incorporated by reference in their entirety under37 CFR 1.57.

BACKGROUND

Networks are commonly utilized to connect an organization's, e.g., acompany's, computer systems and electronically stored information. Theorganization can utilize components, e.g., routers, to receiveconnection requests from network devices, e.g., computer systems, androute the requests to appropriate devices that can handle the requests.Networks can include thousands or millions of network devices, withthousands or millions of user accounts permitted to access the networkdevices.

System administrators, e.g., people that set up and maintain networks,can attempt to separate their networks such that certain users/devicescannot access other parts of the network. To effect this separation,system administrators can utilize firewalls to block access, and utilizeaccess control lists that identify user accounts expressly permitted toaccess particular network devices.

SUMMARY

In general, one innovative aspect of the subject matter described inthis specification can be embodied in methods that include the actionsof obtaining information describing network traffic between a pluralityof network devices within a network; determining, based on theinformation describing network traffic, a network topology of thenetwork, wherein the network topology comprises a plurality of nodeseach connected by an edge to one or more of the plurality of nodes, andwherein each node is associated with one or more network devices;associating indications of user access rights of users to respectivenodes included in the network topology; and generating user interfacedata associated with the network topology.

The foregoing and other embodiments can each optionally include one ormore of the following features, alone or in combination. An indicationof user access rights of a particular user to a particular nodecomprises one or more of: information indicating that the particularuser is permitted access to a space which includes at least one networkdevice associated with the particular node, information indicating thata user account associated with the particular user can provideinformation to, or receive information from, at least one network deviceassociated with the particular node, or information indicating that theuser account associated with the particular user is permitted to access,or has actually attempted to access, at least one network deviceassociated with the particular node. The actions include obtainingaccess control lists associated with respective nodes, wherein eachaccess control list identifies user accounts permitted to access one ormore network devices associated with a node. The actions includeobtaining access records associated with respective nodes, wherein eachaccess record identifies actual access attempts by user accounts to oneor more network devices associated with a node. Generating userinterface data comprises generating a graph identifying the networktopology. Each edge included in the network topology represents acommunication path. The actions include receiving an identifier of aparticular user; obtaining indications of user access rights of theparticular user that are associated with respective nodes included inthe network topology; and including information in the user interfacedata identifying the indications of user access rights.

Particular embodiments of the subject matter described in thisspecification can be implemented so as to realize one or more of thefollowing advantages. A system can efficiently determine a networktopology describing connections between network devices of a network,and user accounts permitted to access each network device. The systemcan then automatically determine weaknesses in the network, such as apreviously unknown communication path between secure and insecure partsof the network, and quantify risks associated with the network, e.g., aloss to a company if a network device or user account were compromised.In this way, a company can obtain visual representations of its network,quickly view the level of access that each user account or networkdevice has with respect to its network, and quantify costs associatedwith a compromised level of access.

The details of one or more embodiments of the subject matter of thisspecification are set forth in the accompanying drawings and thedescription below. Other features, aspects, and advantages of thesubject matter will become apparent from the description, the drawings,and the claims.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates a risk assessment system in communication with anetwork and an example of a determined network topology.

FIG. 2A illustrates an example user interface of a graph identifying anetwork topology with associated compromise values.

FIG. 2B illustrates an example user interface of the graph showingaccess rights of a selected node.

FIG. 2C illustrates another example user interface of the graph showingaccess rights of the selected node.

FIG. 2D illustrates an example user interface of the graph showingaccess rights of a selected user account.

FIG. 2E illustrates an example user interface of the graph showingaccess rights to an identified critical area of a network.

FIG. 3 is a diagram of an example risk assessment system.

FIG. 4 illustrates a flowchart of an example process for network riskassessment.

FIG. 5 illustrates a flowchart of an example process for determiningaccess rights of user accounts.

FIG. 6 illustrates a flowchart of an example process for determining acompromise risk value associated with a user account or node.

FIG. 7 illustrates a flowchart of an example process for determining atotal compromise value associated with a user account or node.

FIG. 8 is a block diagram of an embodiment of the example riskassessment system.

FIG. 9A is an example user interface illustrating user account riskvalues of user accounts.

FIG. 9B is an example user interface illustrating summary data.

FIG. 9C is an example user interface illustrating modifications tonetwork device risk values caused by an external event.

FIG. 9D is an example user interface illustrating remedial actions to betaken in response to an external event.

FIG. 10 is a block diagram of one embodiment of the risk assessmentsystem, including example components and modules.

FIG. 11 is a flowchart of an example process for generating userinterface data describing risk values associated with user accounts andnetwork devices of one or more networks.

FIG. 12A is a flowchart of an example process for determining a networkdevice risk value of a network device.

FIG. 12B is a flowchart of an example process for determining a useraccount risk value of a user account.

FIG. 13 is a flowchart of an example process for generating userinterface data describing an external event.

FIG. 14 is a flowchart of an example process for monitoring networksecurity investments implemented in the networks.

FIG. 15 is an example user interface illustrating summary information ofnetwork devices and user accounts.

FIG. 16 is an example user interface illustrating compromise values andcompromise vulnerabilities.

FIG. 17 is an example user interface illustrating selection of a useraccount.

FIG. 18 is an example user interface illustrating user accounts groupedtogether according to employee department.

FIG. 19 is an example user interface illustrating summary informationassociated with one or more metrics.

FIG. 20 is an example user interface illustrating trend informationassociated with a selected metric.

FIG. 21 is an example user interface illustrating summary informationassociated with presently occurring investments.

FIG. 22-24 are examples of additional user interfaces illustratingadditional embodiments.

FIG. 25A illustrates an example user interface for creating a metric tobe applied to user accounts or systems associated with one or morenetworks.

FIG. 25B illustrates an example user interface for creating a metricassociated with a network device.

FIG. 25C-25D illustrate an example of creating a metric.

FIG. 26 illustrates an example process for creating a metric measuringaspects of a compromise value or compromise likelihood, and applying thecreated metric.

FIG. 27 illustrates an example user interface for monitoring a metric.

FIG. 28A illustrates an example user interface for presenting a networkrisk map.

FIG. 28B illustrates a second example user interface for presenting anetwork risk map.

FIG. 28C illustrates an example user interface presenting summaryinformation associated with a particular user account.

FIG. 28D illustrates a second example user interface presenting summaryinformation associated with a user account.

FIG. 28E illustrates a user interface for exporting informationassociated with user accounts.

FIG. 29 illustrates an example process for sharing informationassociated with a network risk map.

Like reference numbers and designations in the various drawings indicatelike elements.

DETAILED DESCRIPTION

In order to facilitate an understanding of the systems and methodsdiscussed herein, a number of terms are defined below. The terms definedbelow, as well as other terms used herein, should be construed toinclude the provided definitions, the ordinary and customary meaning ofthe terms, and/or any other implied meaning for the respective terms.Thus, the definitions below do not limit the meaning of these terms, butonly provide exemplary definitions.

DEFINITIONS

To facilitate an understanding of the systems and methods discussedherein, a number of terms are defined below. The terms defined below, aswell as other terms used herein, should be construed to include theprovided definitions, the ordinary and customary meaning of the terms,and/or any other implied meaning for the respective terms. Thus, thedefinitions below do not limit the meaning of these terms, but onlyprovide exemplary definitions.

Network Devices refers generally to any server, laptop, desktop, storagedevice, router, point of sale machines, and so on. A network device maybe accessed by a single user or may be accessed by multiple users, suchas directly (e.g., sitting at the keyboard of a network device) and/orremotely (e.g., accessing the network device via a network).

Network traffic refers generally to any communications or datatransmitted within a network, such as may be indicated in router logs,e.g., network flow data describing communications between networkdevices, firewall logs, e.g., data identifying network devices that arepermitted to access particular other network devices, and proxy logs,e.g., data describing network devices that request or receiveinformation through a proxy server.

Network topology refers generally to the relationship between variousnetwork devices, such as an indication of network devices and theconnections between those network devices. A network topology may bedetermined based on network traffic to identify unique network devices,and connections from each unique network device to other unique networkdevices.

Access information refers generally to any information describing alevel of access that a user account has within a network. For instance,access information can include information regarding a particular useraccount's access rights and/or actual accesses to nodes in a networktopology. Such access information may be determined based on accessprivileges and/or access records.

Access privileges refers general to any rules or information that isused to control what a user can access. Access privileges may beimplemented using a list of rules that apply to a specific node (orother object, such as a file, folder, printer, etc.) that defines whichuser accounts or groups of user accounts have access to that object. AnAccess Control List (ACL) is one example of access privileges.

Access records refers generally to information indicating actualaccesses by a network device, such as to other specific network devicesand/or particular directories, files, etc., within the network. Examplesof access records include those maintained by directory services, suchas MICROSOFT ACTIVE DIRECTORY service. In some embodiments, accessinformation includes information regarding user accounts associated withindividuals that can physically touch a network device, e.g., peoplewith access rights to a room containing the network device, which may betracked using a physical keycard access log, for example.

Vulnerability (also referred to herein as “compromise vulnerability” or“compromise likelihood”) refers generally to a likelihood of anassociated user account (e.g., “account vulnerability”) or networkdevice (e.g., “network device vulnerability”) being compromised.

Value (also referred to herein as “compromise value,” or “importance”)refers generally to a measure of an estimated priority an attacker wouldassign a user account (e.g., “user account value”) or network device(e.g., “network device value”) to compromise. In some embodiments, anetwork device value may be indicative of a cost of data stored by thenetwork device (e.g., alone or in combination with the above describedpriority).

Value metrics refers generally to attributes that are used indetermining value of one or more user accounts, network devices, and/orcombinations of user accounts and/or network devices. Value metrics mayinclude user metrics such as privileges, title, group memberships, andso on. Value metrics may include network device metrics such as types ofoperating systems, types of applications being executed, value of useraccounts that log-in to a network device, title, and so on.

Risk (also referred to herein as “compromise risk”) refers generally toa combination of vulnerability and value that may be calculated for eachuser account (e.g., “account risk”), network device (e.g., “networkdevice risk”), and or group of any of these entities.

Weighting refers generally to an adjustment to a particular metric,vulnerability, importance, user account, network device and/or group ofany of these entities. For example, a weighting may be associated with aparticular importance metric to increase (or decrease) significance ofthat particular importance metric in calculating an importance.

External event refers generally to a real world event that informs, oraffects, a vulnerability of a user account or network device. Externalevents may include exploits that allow for software or hardware includedin one or more network devices to be compromised, compromised user datafrom server systems which host external web pages that may be accessedby employees (e.g., a social network storing personal information).

OVERVIEW

This specification describes techniques to determine a network riskassessment. For example, a risk determination system can initiallydetermine a network topology and obtain access information for eachnetwork device and/or for each user. The system can then provideinformation, e.g., to a system administrator, identifying the networktopology and the level of access that each user account has with thenetwork. The system can receive selections of user accounts, and providea visual representation of the network devices that the user account canreach, e.g., ping or communicate with, or access, e.g., log into.

To identify risks, e.g., quantifiable risks, such as account risksand/or system risks, associated with the network, the system candetermine various vulnerabilities and values associated with users anddevices within the network.

After determining compromise values for network devices, the system canreceive an identification of a user account, or network device, anddetermine the total compromise value associated with the user account,or network device, being compromised, e.g., by an attacker. That is, thesystem can determine the total compromise value for a user account, ornetwork device, from the respective compromise values of network devicesthat the user account, or network device, is permitted to access. Thetotal compromise value therefore identifies the risk, e.g., to acompany, incurred if a user account or network device gets compromised.

Additionally, the system can determine a compromise likelihood of a useraccount, or network device, being compromised. The compromise likelihoodidentifies a probability of the network device, or user account, beingcompromised, e.g., by an attacker.

The system can combine, e.g., multiply in a weighted relationship, thecompromise likelihood with the respective total compromise value todetermine a compromise risk value. The compromise risk value can be usedto quickly determine how secure a network device, or user account, is,e.g., by an insurance company, or by individuals responsible for riskmanagement at a company. In some embodiments, other inputs, e.g. asecurity questionnaire that is completed by a network administratorand/or individual network account holders, may be included incalculating a final network security evaluation, such as a networkcompromise risk value.

Example System Architecture and Network Topology

FIG. 1 illustrates a risk assessment system 100 in communication with anetwork 110 and an example of a determined network topology 120. Therisk assessment system 100, e.g., a system of one or more computers, orsoftware executing on a system of one or more computers (also referredto herein as “the system,”) is configured to determine the networktopology 120 from network traffic 114, e.g., router logs, firewall logs,proxy logs, router rules, of network devices included in a network 100.Example methods of determining a network topology 120 are describedbelow, with reference to FIG. 4. The risk assessment system 100 can beused, or operated, by a system administrator, e.g., an IT staffer, ChiefTechnology Officer, technology consultant, manager, and so on. Thus, anyreference to a “system administrator” or “administrator” herein shouldbe interpreted to include any one or more of these individuals or groupsof individuals, or any other entity that views and interacts with thevarious user interfaces disclosed herein.

The illustrated example of FIG. 1 includes five nodes, e.g., nodes 1-5122A-E, with each node including one or more network devices. Each nodewas determined by the risk assessment system 100 to be included in thenetwork 110. The risk assessment system 100 has also identifiedconnections between each of the five nodes, e.g., node 3 122C and node 5122E have communicated, by analyzing the network traffic 114. Asdiscussed below with reference to FIG. 4, the network topology 120 maybe determined in various manners, based on various combinations ofnetwork traffic information 114. In some embodiments, the networktopology 120 is determined by a third party and then enhanced by therisk assessment system 100, such as to include access information (e.g.,from an access control list) overlaid on the network topology 120, asdiscussed further below.

The risk assessment system 100 may also obtain user account accessinformation 112, e.g., access privileges and/or access records. Thus,the risk assessment system 100 can provide information identifying nodesincluded in the network topology 120 that a particular user account canaccess and/or has actually accessed, which is described below withreference to FIG. 2D.

The network topology can be generated and/or updated using various otherdata sources and/or processes that can be performed on the network, someof which are discussed further below with reference to FIG. 4. Forexample, in some embodiments the system sends instructions to identifiednetwork devices (or some subset of network devices, such as one deviceper access policy group) to send traceroute requests to other networkdevices. Information obtained in response to such traceroute requestsmay be useful in identifying network devices to which the requestingnetwork device actually has access, paths by which access may beobtained, and network devices to which the requesting device does nothave access. See FIG. 4, below, for other examples of information thatmay be included in development of a network topology.

Example Network Topology User Interfaces

FIG. 2A illustrates an example user interface of a graph 200Aidentifying a network topology with associated compromise values. Therisk assessment system 100 can generate user interface data, e.g., toprovide for presentation to a system administrator of the network 110,that includes a representation of a network topology, as described abovein FIG. 1. In some implementations, this representation is a graph 200A,e.g., a directed graph as illustrated in the example, which includesnodes each representing one or more network devices, which are connectedto other nodes by edges representing logged communications and/orpossible communication paths between nodes.

The example of FIG. 2A further illustrates compromise values associatedwith each node. A compromise value represents an approximate cost thatwould be incurred, e.g., to a company that owns the network, if the nodewere compromised, e.g. some portion of its data holdings being madeavailable to an unauthorized party. For instance, the compromise valuecan be the cost of the data stored by the node, such as a value torecover the data, to pay for specialized services associated with lossof the data, e.g., credit monitoring, costs of insurance deductiblesand/or increases in premiums, and/or any other costs. In someembodiments, costs may be estimated based on the type and quantity ofspecific types of data. For example, each item of credit card data canbe associated with a particular compromise value that is higher than thecompromise values for telephone numbers of customers. Thus, a compromisevalue for a node can be calculated by summing the compromise values foreach data item, or a particular set of data items of types having valuesof interest, stored on the node, where each data item has a definedcompromise value based on its type (e.g., credit card data, healthcaredata, contact information, etc.). The risk assessment system 100 canthen associate the calculated compromise values with respective nodes inthe graph 200A.

In the example of FIG. 2A, each node in the graph 200A is labeled with aHigh (“H”), Medium (“M”), or Low (“L”) compromise value. That is, thegraph 200A provides an easy method of viewing nodes that need to besecured carefully, e.g., due to a node storing sensitive/valuable dataassociated with a High compromise value. In this way, a systemadministrator can identify high value nodes for which extra securityprecautions may be desirable. In securing a node, the risk assessmentsystem 100 can overlay information on the graph 200A displaying nodesthat a selected node has access to, e.g., can provide information to, orrequest information from. Overlaying information describing nodes aselected node has access to is described below, with reference to FIG.2B. In other embodiments, compromise values may be dollar amounts, andthe risk assessment system 100 may calculate a total compromise valuefor the network from the compromise values for all nodes, a totalcompromise value of a node, e.g., the compromise value for the node andthe compromise values for all accessible nodes, and/or a totalcompromise value of a user account, e.g., the compromise values for allnodes accessible to the user account.

In some embodiments, nodes may additionally (or alternatively) indicateother attributes associated with network security, such as compromiselikelihood (e.g., likelihood of the particular node being accessed by anunauthorized entity) and/or compromise risk value (e.g., somecombination of total compromise value and compromise likelihood). Thus,in such an embodiment multiple indicators may be included on each node,such as an indicator of compromise value (e.g., High, Medium, Low, somedollar value indicator, and/or some other indicator), an indicator ofcompromise likelihood (e.g., High, Medium, Low, or some other relativeindicator), and/or an indicator of compromise risk value (e.g., High,Medium, Low, or any other such indicator). In the embodiment of FIG. 2E(discussed below), a total Network Risk Score of “F” (“Failing”) isprovided, which identifies a network compromise risk calculated based oncompromise risk values associated with the entire network.

FIG. 2B illustrates an example user interface 210A of the graph 200Bshowing access rights of a selected node 202. The risk assessment system100 can receive a selection of the node 202, such as by a systemadministrator clicking on a node of a user interface displaying thegraph 200B, and identify nodes that the selected node 202 can access,e.g., communicate with and/or is physically connected to. In someimplementations, having access to a node can mean that the selected node202 can provide a request to the node, e.g., as a ping, or can accessdata stored at the node.

In this example, the node 202 selected by the system administrator ishighlighted with a darker border, and all nodes that can be reached bythe selected node 202 are illustrated with broken lines. In otherembodiments, other visualizations may be used to identity a selectednode and accessible nodes, such as colors, highlighting, etc.

After receiving a selection of node 202, the graph 200B is updated toillustrate that the selected node 202 has access to node 204, e.g., byan edge representing that the two nodes have communicated and/or areconfigured to communicate within the network. Additionally, the graph200 illustrates that selected node 202 has access to node 208, e.g., byedge 207. This can occur when, for instance, node 206 has access to node208, and thus is configured to pass communications from selected node202 to node 208. Furthermore, selected node 202 has access to nodes 212Aand 212B by virtue of node 208.

The graph 200B can be utilized by a system administrator to determine aneed for a firewall between nodes 208 and 206, for example, which can beconfigured to block network traffic from selected node 202, and allowonly select network traffic from node 206. In this way, a systemadministrator can visually examine the network to determine whetherparticular nodes, e.g., nodes with a low compromise value, haveunnecessary access to other nodes, e.g., nodes with higher compromisevalues.

FIG. 2C illustrates another example user interface 210B of the graph200B showing access rights of the selected node 202. The user interface210B illustrates the graph 200B with nodes, and associated compromisevalues and compromise likelihoods, e.g., a probability identifying thelikelihood that a node can be compromised. Examples of determiningcompromise likelihood are described below, with reference to FIG. 6.

In this example, the node 214 selected by the system administrator ishighlighted with a darker border, and all nodes that can be reached bythe selected node 214 are illustrated with broken lines. In otherembodiments, other visualizations may be used to identity a selectednode and accessible nodes, such as colors, highlighting, etc.

The risk assessment system 100 has determined that node 214 isassociated with a low compromise value and high compromise likelihood,e.g., a high probability that the node can be compromised, and node 218is associated with a high compromise value and low compromiselikelihood, e.g., a low probability that the node can be compromised.Based on the information displayed in the user interface 210B, a systemadminister may consider whether the edge 216 between node 214 and node218 can be eliminated. Since an attacker could compromise node 214, witha high likelihood of a compromise, to gain access to node 218 with ahigh compromise value, the system administrator can decide that the edge214 should be limited, or eliminated. Additionally, the systemadministrator could alter node 214 to make it harder for an attacker tocompromise, e.g., increase password complexity to the node 214, limituser accounts that can access the node 214, limit physical access to thenode 214, and so on.

In some implementations, the risk assessment system 100 can determine acompromise risk value for each node, e.g., by multiplying the compromiselikelihood and total compromise value for the node. As described above,the total compromise value for a particular node is determined fromcompromise values of nodes the particular node has access to. In theseimplementations, the graph 200B can be updated to include the compromiserisk value, allowing a system administrator to directly compare nodes.Since each node will have a total compromise value scaled by theprobability of it being compromised, the system administrator canquickly identify high risk nodes, e.g., nodes associated with highcompromise risk values. In this way, the system administrator canquickly identify the risk to a company if the node was compromised.Examples of determining compromise risk values are described below, withreference to FIG. 6.

FIG. 2D illustrates an example user interface 220 of the graph 200Dshowing access rights of a selected user account. The risk assessmentsystem 100 can receive an identification of a user account, e.g., a useraccount associated with the network described in FIG. 1. For instance,the risk assessment system 100 can provide a listing of user accountnames, or search functionality, to a system administrator, and thesystem administrator can identify a user account. In one embodiment, auser interface that includes a drop-down (or some other selection) userinterface component, may be accessed by the system administrator inorder to select one or more user accounts. Such a user interface mayallow the network administrator to select groups of users, e.g., newhires, contractors, employees in particular departments, etc., filterthe user accounts by various attributes, such as hire date, title, etc.,and/or provide other searching and filtering functionality that allowsthe network administrator to easily select one or more user accounts ofinterest. After receiving the identification of the user account, therisk assessment system 100 can identify nodes that the selected useraccount can access, e.g., the user account has access rights to, and/ornodes that the user account has actually accessed within a definedperiod of time. In one embodiment, the user may be provided with one ormore user interface controls (e.g., a slider or drop-down menu) thatallow adjusting of the access criteria used to determine access rightsof the selected user account for display in the network topology, suchas a slider that allows adjustment of a time period of actual accessesby the user account to include in the network topology.

To identify nodes that the selected user account can access, the riskassessment system 100 may access user account access information, suchas one or more access privileges and/or access records, as definedabove. For example, in some embodiments, the risk assessment system 100discussed herein can map the access rights of a particular user account(or group) onto the network topology (e.g., generated based on NETFLOW,proxy logs, etc.), such that “reach” of the user account within thenetwork can be comprehensively visualized. A similarly mapping may alsobe performed based on access records for a particular user account,physical access privileges and/or records for a particular user account,or some combination of various access information.

In the example of FIG. 2D, the risk assessment system 100 has determinedthat the selected user account can access each node in the graph (shownin broken lines), except one node, e.g., node 222. A systemadministrator using the user interface 220 can inspect the nodes toeasily determine whether the selected user account has greater accessrights than is warranted, e.g., due to their job position. Additionally,the system administrator can request that the risk assessment system 100provide actual log-in information over a defined time period, e.g., aselectable time period, and identify whether the selected user accountrarely, or never, accesses certain nodes to which the user account hasaccess as such nodes may be candidates for updating their respectiveACLs so that the user account no longer has access rights.

In some implementations, the user interface 220 can include a selectableoption for updating the network topology to indicate nodes the useraccount has access to (e.g., based on access rights) and/or has actuallyaccessed (e.g., based on access records). As noted above, in someimplementations the risk assessment system 100 can obtain informationidentifying nodes that a person associated with the selected useraccount can physically access. For instance, the risk assessment system100 can obtain lists identifying physical badges worn by people, e.g.,employees, and rooms or spaces containing nodes that particular physicalbadges can access. The risk assessment system 100 can then identifynodes in rooms or spaces that the person associated with the selecteduser account can physically access.

As described above, the user interface may identify nodes that theselected user account has actually accessed, e.g., over a selectabletime period, instead of nodes the user account can access as in FIG. 2D.In this embodiment, unnecessary access to nodes can be identified in theuser interface by highlighting nodes that the user account can access,but has never accessed (over some selectable period of time selected bythe system administrator, such as a default time period or one that isdynamically adjustable by the system administrator using one or moreuser interface controls). For example, differences between a particularuser account's access rights and that particular user account's accessrecords (for some time period or based on all records) may be determinedin order to identify possible areas for tightening access rights forthat user account.

In some embodiments, user accounts may have access to only portions ofdata on a particular node. Thus, the user interface 220 may be updatedwith an indication that only parts of a particular node are accessibleand may be configured to provide a detailed drill-down of particulardirectories, files, etc. that the user account has access to in responseto a request from the system administrator (such as double-clicking on aparticular node).

FIG. 2E illustrates an example user interface 230 of the graph 200Eshowing access rights to an identified critical area of a network. Therisk assessment system 100 can receive an identification of a criticalarea of the network, e.g., a system administrator can provideidentifications of nodes, e.g., nodes 232A-D, that are intended by thesystem administrator to be critical e.g., important to a company or thenetwork. In some implementations the risk assessment system 100 canautomatically identify nodes likely to be critical, e.g., the system 100can determine compromise values for each node and identify criticalnodes as being associated with high compromise values. Determiningcompromise values is described below, with reference to FIG. 4.

After identifying a critical area of the network, the risk assessmentsystem 100 can identify a percentage of user accounts that can accessthe critical area of the network, as described above with reference toFIG. 2D, and a percentage of nodes that can access the secure area ofthe network, as described above with reference to FIG. 2B. That is, therisk assessment system 100 determines the access rights of each nodeoutside of the critical area, and identifies a number of nodes that canaccess any node in the critical area. The risk assessment system 100 canthen compute a percentage of nodes outside the critical area that canaccess the critical area, and provide the percentage to a systemadministrator using the user interface 230. Additionally, the riskassessment system 100 can determine a number of edges that connect to anode in the critical area. For instance, in the example the riskassessment system 100 has determined that three edges connect to nodesin the critical area, e.g., node 234 connects to node 232A by an edge,node 236 connects to node 232A by an edge, and node 238 connects to node232A by an edge. A larger quantity of connections to the critical areamay be indicative of an increased risk of compromise of that critical.Any connection to the critical area should be audited to ensure thatonly authorize traffic can travel across it.

Similarly, the risk assessment system 100 can determine a percentage ofuser accounts that can access, or have accessed, nodes in the criticalarea. In the example, the risk assessment system 100 has determined that18 out of 20 user accounts can access, or have accessed, nodes in thecritical area.

In some implementations, the system also calculates one or more metricsrelated to users' access to the network. For example, a metricindicating a total number of user accounts that have access to aparticular area of the network (and/or have actually accessed), such asa defined critical area, or number of user accounts that have access to(and/or have actually accessed) a threshold percentage, or number, ofnetwork nodes, e.g., 70%, 80%, 85% (wherein such percentage may beprovided by the system administrator). In the example, the riskassessment system 100 has determined that 20 out of 20 user accounts canaccess 80% of the total number of nodes in the graph. A similar metriccould be provided to indicate a percentage of user accounts that haveactually accessed at least 80% of the total number of nodes.Furthermore, discrepancies between these two ratio (e.g., have accessand actually accessed) may trigger alerts, e.g., recommendations, to thesystem administrator suggesting tightening of user account access rightsin view of actual node access being much lower than available nodeaccess.

Example Network Configuration

FIG. 3 illustrates a diagram of the risk assessment system 100 incommunication with the network 110 in order to build and/or enhance thenetwork topology based on access rights of user accounts. In thisembodiment, the risk assessment system 100 is shown in communicationwith the network 110 that includes one or more network devices, e.g.,network devices 312A-312N. In some implementations the risk assessmentsystem 100 can be a network device included in the network 110, or canbe software executing on a network device.

The risk assessment system 100 is in communication with, or maintains,one or more databases storing network traffic information and useraccount access information, e.g., the network traffic informationdatabase 302 and user account access information database 304.

In one embodiment, the network traffic information database 302 storesrouter logs, e.g., network traffic data describing communicationsbetween network devices such as NETFLOW data, firewall logs, e.g., dataidentifying network devices that are permitted to access particularother network devices, and/or proxy logs, e.g., data describing networkdevices that request or receive information through a proxy server.Additionally, the risk assessment system 100 can provide requests, e.g.,traceroute requests or pings, to network devices included in the network110, and receive identifications of network devices that the request wasrouted through. In this way the risk assessment system 100 can activelyidentify network devices in communication with each other, e.g., networkdevices that can provide information to, or receive information from,other network devices. The risk assessment system 100 can then use theseidentified network device communication paths to enrich the networktopology 120 or store these identified network device communicationpaths in the network traffic information database 302.

In one embodiment, the user account access information database 304stores access information describing a level of access that a useraccount, e.g., a user account of the network 110, has with a networkdevice included in the network 110. For instance, user account accessinformation can include identifications of user accounts that arepermitted to access a network device, e.g., log into the network device,or user accounts that can request data from or send data to a networkdevice, e.g., ping the network device. The information can be obtainedfrom access rights associated with respective nodes of the network 110.For example, rights of each network node in an Access Control List(“ACL”) may be parsed in order to determine, for each user account,which network nodes the user account can access. The user account accessinformation may also include information obtained from access recordsparticular to each network node included in the network 110, e.g.,information identifying user accounts that have accessed a networkdevice, or directory information identifying user accounts. In someimplementations, the information can identify network nodes thatparticular persons associated with user accounts can physically touchand/or has physically touched, e.g., physical access rights or physicalaccess records. For instance, as described above in FIG. 2D, theinformation can identify badges worn by people that allow entry into aroom or space containing particular network devices.

The risk assessment system 100 includes a network identification engine320 configured to obtain information stored in the network trafficinformation database 302 and determine and/or update a network topologyof the network 110. As noted above, a network topology identifies nodesin the network 110, e.g., one or more network devices grouped as a node,and connections between the nodes, e.g., network devices permitted toaccess other network devices. Additionally, the risk assessment system100 can actively provide requests to network devices included in thenetwork 110, e.g., traceroute requests, to identify connections betweennetwork devices. The risk assessment system 100 can also direct networkdevices in the network 110 to provide requests to other network devices,e.g., to identify connections between network devices, and receiveindications of whether requests to respective devices was successful.Examples of actively providing requests are described below, withreference to FIG. 4.

In some embodiments, an initial network topology may be generated by athird party service or software, and then the risk assessment system 100updates the network topology with additional information, such as useraccount access information, proxy logs, etc. Thus, the networkidentification engine 320 can associate user account access informationwith the network topology. For instance, the network identificationengine 320 can store mappings between nodes determined in the networktopology, and user accounts permitted to access the nodes.

Additionally, the risk assessment system 100 includes a riskdetermination engine 330 to determine risks associated with the network110 being compromised, e.g., by an attacker. For instance, the riskdetermination engine 330 can determine compromise values associated witheach node, e.g., approximate costs that would be incurred to a companythat owns the network 110 if one or more network devices werecompromised. The risk determination engine 330 can then identify nodesthat each user account, node, or group of user accounts or nodes, ispermitted to access, and determine a total compromise value. The totalcompromise value represents approximate costs that would be incurred ifa particular user account, or particular node, were compromised.Furthermore, the risk determination engine 330 can determine a totalcompromise value for the entire network 110, e.g., from respectivecompromise values of each node. Examples of determining a totalcompromise value are described below, with reference to FIG. 7.

The risk determination engine 330 can also determine compromiselikelihood for each node, and user account, associated with the network110. The compromise likelihood identifies a probability of the node, oruser account, being compromised. Examples of determining compromiselikelihood are described below, with reference to FIG. 6. The riskassessment system can then determine a compromise risk value for eachnode, or user account, from the compromise likelihood for the node, oruser account, the total compromise value for the node, or user account,and possible other attributes associated with the node and/or useraccount. In one embodiment, the compromise risk value is a scaledversion of the total compromise value, scaled by the compromiselikelihood (e.g., probability that the node, or user account, can becompromised). Examples of determining compromise risk values aredescribed below, with reference to FIG. 6.

The risk determination engine 330 can also generate user interface dataidentifying the network topology, described above, and risks associatedwith the network 110. In some implementations the risk determinationengine 330 generates a graph of nodes and edges, with each noderepresenting one or more network devices, and each edge identifying aconnection between two nodes. The user interface data is configured tobe provided for presentation, and receive interactions from a systemadministrator using the risk assessment system 100. Example userinterface data is described above, with reference to FIGS. 2A-2E.

Example Methods

FIG. 4 illustrates a flowchart of an example process 400 for networkrisk assessment. For convenience, the process 400 will be described asbeing performed by a system of one or more computers, e.g., the riskassessment system 100. Depending on the embodiment, the method of FIG. 4may include fewer or additional blocks and the blocks may be performedin an order that is different than illustrated.

In the example of FIG. 4, the system obtains information describingnetwork traffic between network devices in a network (block 402). Thesystem can obtain the information, e.g., router logs, router rules,firewall logs, and so on, from one or more databases. Informationdescribing network traffic is any information that identifies one ormore network devices that can communicate with, or access, each other.In some implementations, the system maintains the databases andretrieves the information, e.g., from routing devices, for storage inthe databases. In some other implementations, the system can access thedatabases that have been pre-populated with information describingnetwork traffic.

As described above, the information can be from routing systems thatroute requests from a network device to an appropriate receiving networkdevice. Routing systems can include routers, and proxy servers that hidean identification of the requesting network device and route the hiddenrequest to a receiving network device. As described below in block 404,the system may obtain proxy logs to identify that two network devicesare in communication with each other, even though a proxy server wouldordinarily hide that reality.

In some implementations the system can actively determine networkdevices that can communicate with, or access, each other by providingtraceroute requests to all network devices. A traceroute request reportsthe route that the request took to get a receiving network device, e.g.,the network devices and routers that the request was provided to. If thesystem receives a response identifying the traceroute, the system canstore information identifying all the network devices involved in theresponse and the respective connections between them. Additionally thesystem can provide a traceroute request to all possible addresses ofnetwork devices on particular subnets, e.g., the system can cyclethrough all permutations of network addresses in the subnet, andidentify network devices from traceroute requests that receive aresponse.

Next, the system determines a network topology from the informationdescribing network traffic (block 404). A network topology identifiesnodes that each represents one or more network devices connected byedges, with each edge representing a communication link. Each edge canbe associated with a direction from a node to another node, e.g.,identifying a direction of communication. Additionally edges can bebi-directional. In some implementations, the system can represent allnetwork devices that belong to a particular subnet as being a singlenode. In some other implementations, a system administrator using thesystem can identify that more than one network device is to belong to asingle node.

To determine the network topology, the system can obtain router logs,e.g., NETFLOW data, that identifies network traffic between networkdevices that provide requests to, or receive requests from, routers. Thesystem then identifies pairs of network devices that have communicated,and represents the network devices as nodes connected by respectiveedges.

The system can also obtain firewall logs, and identify network devicesexpressly permitted to communicate with, or access, other networkdevices. Additionally, the system can obtain proxy logs, and identify arequesting network device, and a receiving network device. Since a proxyserver hides the requesting network device's address, e.g., networkaddress, from the receiving network device, discovering whether twonetwork devices are in communication with each other would be difficultwithout proxy log information. The system can also utilize router rules,e.g., rules specifying a method of routing requests received fromparticular network devices. In this way the system can determine, fromthe rules, that two network devices are in communication with each otherby identifying a router rule specifying the communication.

In some implementations, the system can obtain information identifyingnetwork devices that are physically connected, e.g., by a direct wiredor wireless connection. The system can store these connected networkdevices as nodes connected by edges in the network topology.

Moving to block 406, the system associates identifications of useraccounts permitted to access network devices with respective nodes ofthe network topology. For example, the system obtains access informationfrom one or more access rights, access records, and/or other sources.Such information may indicate user accounts that have access torespective nodes and user accounts that have actually accessed nodeswithin a defined time period (e.g., the previous week, month, year, orselectable time period), respectively. From this user account accessinformation, the system may associate identifications of the useraccounts with nodes that include the accessible and/or accessed nodes.In one embodiment, the system first overlays access records and thenaccess privileges onto the network topology generated in block 404 toprovide a network topology with overlaid access rights and accesshistory information.

In some implementations, the system can provide information, e.g., to asystem administrator, identifying user accounts permitted to accessnodes that they haven't actually accessed in a selectable period oftime, e.g., one month, 3 months, one year.

Furthermore, the system can obtain physical active control list (ACL)badge information to identify rooms containing network devices that aperson associated with a user account can physically access. Nodesincluding the network devices in the identified rooms are associatedwith (e.g. indicated as accessible by) identifications of the useraccounts.

Examples of associating identifications of user accounts with nodes arefurther described below, with reference to FIG. 5.

The system generates user interface data identifying the networktopology (block 408). In some implementations, the system generates agraph that identifies the network topology, e.g., FIG. 2A. The graph canbe a directed graph, and each node in the graph can correspond to a nodein the network topology. Similarly, each directed edge in the graph cancorrespond to an edge in the network topology. In some otherimplementations, the system generates a table that identifies all nodesthat each particular node can access.

This user interface data can be provided for presentation, e.g., to asystem administrator using the system. Additionally, the system canreceive interactions with the user interface data and update the userinterface according to the interaction discussed above, e.g., FIGS.2A-2D. for example, a network administrator can click on a particularnode of a network topology in order to cause the system to automaticallydetermine access rights associated with that node and display those inthe network topology (e.g., via some type of overlay, such as coloringcertain nodes, shading certain nodes, hiding nodes that are notaccessible by the selected node, etc.). In addition, the networkadministrator may be able to zoom in and out of the network to viewadditional detail or less detail regarding the network topology. Forexample, in response to a zoom level being decreased (to view more ofthe network topology), the system may group nodes (such as nodes thateach have a common connection to a particular node) for simplifiedpresentation of that group of nodes. The network administrator canmanipulate and explore the network topology before compromise values arecalculated and/or after such compromise values are calculated. In oneembodiment, compromise values may be calculated in response to a networkadministrator selecting one or more nodes on a network.

In the embodiment of FIG. 4, the system determines a compromise valueassociated with each node in the network topology (block 410). Acompromise value represents an approximate cost that would be incurred,e.g., to a company that owns the network, if the node were compromised,e.g., by an attacker. For nodes that include more than one networkdevice, e.g., multiple network devices that are part of the same subnet,the system can determine compromise values of those multiple networkdevices, and compute a sum of the network devices for the node.

For instance, the compromise value can be the cost of the data stored bythe node, such as a value to recover the data, a value to ensure thatall data stored by nodes has not been tampered with, a value to pay forspecialized services associated with loss of the data (e.g., creditmonitoring), costs of insurance deductibles and/or increases inpremiums, and/or any other costs. The compromise value of a node canalso be the cost incurred by a company that owns the network if the nodewere out of service, e.g., offline. The cost can be the cost incurredper day by the company, or cost incurred hourly (or any other unit oftime). The compromise value can also factor in the cost to replace thenode, and information stored on it. Additionally, any compromise of thenetwork can be associated with a compromise value that is in addition toa compromise value of each node, e.g., a reputational compromise value.This reputational compromise value identifies an expected loss to thecompany that operates the network, e.g., any quantifiable loss ofinvestor faith, loss of consumer faith, or costs incurred with respectto average legal fees to defend itself in a lawsuit by a government or aconsumer.

In some implementations the system can obtain information that describeswhat each node stores, and determine an associated compromise value fromthe information. To determine an associated compromise value, the systemcan store mappings between specific types of information and associatedcosts. For instance, if the system obtains information a particular nodethat stores credit card information, the system can identify anassociated cost in the mappings, e.g., cost per particular credit card.In some other implementations, the system can receive approximate costsof information stored in a node, e.g., from a system administrator usingthe system.

In some implementations, the system can provide an identification of thecompromise values to a system administrator using the system as anoverlay of the graph identifying the network topology, e.g., FIGS.2A-2E.

After determining compromise values, the system can receiveidentifications of user accounts, or nodes in the network topology, anddetermine a total compromise value associated with all nodes that theuser account, or identified node, can access. In this way a company canquickly identify the potential costs incurred to them if any useraccount, or network device, were compromised. Examples of determiningtotal compromise values are described below, with reference to FIG. 7.

FIG. 5 illustrates a flowchart of an example process 500 for determiningaccess rights of user accounts. For convenience, the process 500 will bedescribed as being performed by a system of one or more computers, e.g.,the risk assessment system 100. Depending on the embodiment, the methodof FIG. 5 may include fewer or additional blocks and the blocks may beperformed in an order that is different than illustrated. Additionally,the system can perform blocks 502-504 in parallel with blocks 506-508.For example, the processes of analyzing access records and analyzingaccess rights may not be dependent on one another. Thus, access rightsmay be analyzed independent of access records, and such analysis mayeven be performed concurrently in order to obtain potentiallyunnecessary privileges associated with the user account.

The system identifies access records, such as network log-in data,associated with the network (block 502). As noted above, access recordsmay describing user accounts that have logged into, e.g., accessed,particular network devices. The access records can be actively obtainedfrom each network device and/or from a database storing log-in data. Forinstance, the system can provide a request to each network device toreceive log-in data, e.g., data describing user accounts that havelogged into the network device. The access records can includehistorical log-in data, e.g., log-in data from the prior quarter, month,or year (or any other period of time).

The system identifies user accounts that accessed nodes using the accessrecords (block 504). The system scans the access records to identifyuser accounts, and network devices that each of the user accounts haveaccessed. The system then associates identifications of user accountswith respective nodes in the network topology.

The system identifies access rights associated with the network (block506). As noted above, access rights can identify user accounts permittedto access each network device, e.g., over a network, regardless ofwhether the user account actually has accessed the network device.Additionally, physical access rights can identify whether personsassociated with user account can physically touch network devices, e.g.,whether the persons have access to rooms that contain particular networkdevices.

The system identifies user accounts permitted to access nodes (block508). As described above in block 506, the system identifies useraccounts permitted to access, e.g., over a network or physically,network devices. The system then associates identifications of the useraccounts with nodes in the network topology that include the respectivenetwork devices.

With the information regarding nodes that the selected user account canaccess (e.g., based on access rights) and information regarding nodesthat the selected user account actually has accessed (e.g., based onaccess records), the system can determine a recommendation for reductionof access rights to the particular user account, such as to removeaccess rights to any network nodes (or other object on the network) thatthe user account has not actually accessed (e.g., within the time perioddetermined by the network administrator), but for which the user accounthas access rights. Such a recommendation may be provided to the networkadministrator via many manners, such as by highlighting nodes on anetwork topology (e.g., overlaid on any of the network topologies ofFIG. 2) for which access rights may be removed. In some embodiments, thesuggested reduction of access rights may be implemented via the sameuser interface by the network administrator selecting a button or otherUI control indicating a desire to have the system automaticallyimplement such suggested reduction in access rights.

FIG. 6 illustrates a flowchart of an example process 600 for determiningthe compromise risk value associated with a user account or node. Forconvenience, the process 600 will be described as being performed by asystem of one or more computers, e.g., the risk assessment system 100.Depending on the embodiment, the method of FIG. 6 may include fewer oradditional blocks and the blocks may be performed in an order that isdifferent than illustrated.

The system receives an identification of a user account or node (block602). A system administrator can provide a user account name, or thesystem can provide search functionality to help facilitate identifying auser account. In one embodiment, the system performs the below-notedprocess for each user account and/or user account group to developcompromise risk value for each and provides a sorted listed of theaccounts and account groups. Thus, the system administrator may beprovided with a list of users or user groups having the highest totalcompromise values and/or likelihoods and may assess whether accesscontrols with reference to those users or user groups should betightened to reduce compromise risk values.

The system administrator can also identify the network address of anetwork device included in a node, or provide an identification, e.g., aname, of the node. In some implementations the system administrator canprovide a selection of the node as presented in the graph identifyingthe network topology, described above with reference to block 408 ofFIG. 4.

The system determines a total compromise value of the user account ornode (block 604). The system obtains all nodes that the user account, ornode, is permitted to access, e.g., from the information determined inFIG. 5. The system then obtains a compromise value for each of theobtained nodes, and determines a total compromise value from theobtained compromise values. In some implementations the system can sumthe obtained compromise values to determine a total compromise value. Insome implementations the system can apply weights to each of theobtained compromise values, e.g., scaling factors, to determine thetotal compromise value. Examples of determining a total compromise valueare described below, with reference to FIG. 7.

The system determines a compromise likelihood for the user account ornode (block 606). The system determines a probability, or decimal value,that the user account, or node, can be compromised.

For example with a user account, the system can obtain informationidentifying a complexity of the user account password, the location thata person associated with the user account normally logs into nodes from,a length of time the person has worked at the company that controls thenetwork, one or more values identifying an importance of the useraccount, and so on. This information can be provided to a machinelearning model, e.g., a neural network, a Gaussian mixture model, and soon, and the system can obtain a probability identifying a chance theuser account will get compromised.

For example with a node, the system can obtain information identifyinguser accounts that are permitted to access the node, and obtaininformation identifying password complexities of each user account,locations that persons associated with the user accounts normally log infrom, length of time that the persons have worked at the company, and soon. Additionally, the system can obtain information describing how easy,or hard, it is for persons to access, e.g., physically access, the node.The system can identify whether the node is associated with a highcompromise value, e.g., identifying that the node is an importanttarget, or whether the node is permitted to access another node with ahigh compromise value. Compromise likelihood may consider linkages (e.g.proximity to insecure parts of the network like the demilitarized zoneof the network), attributes (e.g. software version) for a given node,and/or an academic theory like attack graphs in computing a compromiselikelihood for a node. This information can be provided to the machinelearning model, described above, and the system can obtain a probabilityidentifying a chance the node will get compromised.

In some implementations the system determines compromise likelihoods foreach node after, or before, determining the compromise value for thenode, described above with reference to block 410 of FIG. 4. Similarly,the system can determine compromise likelihoods for each user account.That is, the system can automatically determine a compromise likelihoodfor each user account, or node, e.g., without system administratoraction. After determining the network topology, the system can provideinformation identifying the network topology, e.g., a graph, and includethe compromise value and compromise likelihood for each node in thegraph, e.g., described above with reference to FIG. 2C.

In the embodiment of FIG. 6, the system determines a compromise riskvalue for the user account or node (block 608). For example, the systemobtains the total compromise value, determined in block 604, and thecompromise likelihood, determined in block 606, and determines acompromise risk value for the user account or node. In someimplementations the system computes a multiplication of the totalcompromise value by the compromise likelihood, e.g., decimalrepresentation of the compromise likelihood to arrive at the compromiserisk value for the selected user account or node. In other embodiments,the compromise risk value may be calculated based on other combinationsof total compromise value, compromise likelihood, and/or other factors.

The system can then provide the compromise risk value for presentationto a system administrator, who can identify a scaled version of the riskof a user account, or node. For instance, a system administrator candirectly compare any arbitrary node, or user account, and identifynodes, or user accounts, that are high risk, e.g., have a highcompromise risk value.

Additionally, the system can automatically determine a compromise riskvalue for each node and/or each user account, associated with thenetwork. The system can then determine a network compromise risk value,e.g., by combining in some manner, such as summing, the compromise riskvalues for each node and/or user account in the network. The networkcompromise risk value identifies a compromise risk value for the entirenetwork, and can then be provided to a system administrator to obtain ahigh level estimation of the overall risks associated with the network.A network compromise risk value may also be compared to other networkcompromise risk values, e.g., of other organizations, such as by aninsurance provider in order to establish relative risks associated witha network.

FIG. 7 illustrates a flowchart of an example process 700 for determininga total compromise value of a node or user account. For convenience, theprocess 700 will be described as being performed by a system of one ormore computers, e.g., the risk assessment system 110. Depending on theembodiment, the method of FIG. 7 may include fewer or additional blocksand the blocks may be performed in an order that is different thanillustrated.

The system determines nodes in the network topology which the selectednode or user account has access (block 702). As described above, in step602 of FIG. 6, the system can receive a selection of a user account ornode, e.g., by a system administrator.

For a node, the system determines all communication paths from nodes inthe network topology, determined in block 404 of FIG. 4, to the selectednode, and stores information identifying the determined nodes. In someimplementations, the system can provide an identification of thedetermined nodes to a system administrator as an overlay of the graphidentifying the network topology, described above with reference toblock 408 of FIG. 4. For example, the system can shade the determinednodes as presented to the system administrator on the graph. In anotherexample, the system can present the determined nodes with hatched lines,e.g., FIG. 2B, or can color the determined nodes differently thanremaining nodes.

Similarly for a user account, the system determines all nodes that theuser account is permitted to access, e.g., from the informationdetermined in FIG. 5. In some implementations, a system administratorcan specify whether he/she is interested in nodes the selected useraccount has accessed in a previous time period, and/or nodes the useraccount is permitted to access, either physically or over a network.

In some implementations, the system can provide an identification of thedetermined nodes to a system administrator using the system as anoverlay of the graph identifying the network topology, such as in theexample of FIG. 2D and as described further above with reference toblock 408 of FIG. 4. For example, the system can shade or color thedetermined nodes as presented to the system administrator on the graph.In another example, the system can present the determined nodes withhatched lines, e.g., FIG. 2D, or can color the determined nodesdifferently than remaining nodes.

In this example, the system determines compromise values of thedetermined nodes (block 704). For example, the system may determinecompromise values for each node the user account, or node, is permittedto access. Determining a compromise value is described above, withreference to block 410 of FIG. 4.

The system, optionally, applies risk weightings to respective nodes(block 706). After obtaining compromise values for each node, the systemcan apply respective weights to the nodes, e.g., apply a scaling factorto each compromise value. In some implementations, the system can applya higher weighting to a node that has been previously identified asbeing part of a critical area, e.g., the critical area identified inFIG. 2E. In some implementations, the system can receive weights toapply to particular nodes, e.g., a system administrator can specify thatparticular nodes are of a greater importance than other nodes.

The system computes a total compromise value (block 708). In someimplementations, the system computes a sum of the compromise valuesobtained for each identified node that the selected user account, ornode, can access. In some other implementations, the system applies theweightings of block 706 to respective compromise values of nodes, andsums the output to obtain a total compromise value.

The system can then provide the total compromise values for particularnodes for presentation, e.g., to a system administrator as an overlay ofthe graph described in FIG. 4.

The system can also determine a compromise value of the entire network,e.g., the system can perform blocks 702-708, and assumes that all nodesare accessible in block 702. In this way the system can then provide acompromise value of the network, e.g., for presentation, to a systemadministrator.

In addition to the description of FIGS. 1-7 above, the system, e.g., therisk assessment system 100, can generate and provide recommendations toa system administrator using the system, e.g., a network administrator.For instance, the system can automatically identify changes in thenetwork, e.g., the network 110, that will lower total compromise values,compromise likelihoods, and/or compromise risks associated with thenetwork and/or specific user accounts and/or nodes. The system canobtain information identifying nodes that user accounts have actuallyused in a defined time period, and determine whether blocking access toremaining nodes, e.g., nodes user accounts don't actually use, willlower the compromise risk values of the user accounts to a greaterdegree than the cost of implementing the changes, and may even providesuggestions on user access rights to further restrict. For example, thesystem may provide recommendations to limit users' access rights to onlythose resources, e.g., nodes or objects within nodes, that particularuser accounts have accessed within some previous time period, such as 30or 60 days. In some embodiments, the system may have sufficient useraccess rights to ACL settings on nodes of the network to actuallyinitiate changes of user access rights, such as by transmittinginformation regarding changes to ACL rules to respective nodes.

Additionally, the system can determine whether limiting access toparticular nodes, e.g., nodes identified as being included in a criticalarea, will provide a greater decrease in compromise risk value, e.g., inunits of dollars, than the cost of implementing the changes. Todetermine whether the recommended network changes will result in agreater benefit than cost incurred, the system can obtain informationdescribing average costs of components needed to effect therecommendation, e.g., firewalls, added software to control security,added personnel costs, and so on.

The system can weigh the costs incurred to make the recommended changesagainst the benefit, e.g., the reduction in compromise risk values, andprovide a recommendation to a system administrator that is determined tohave the greatest benefit/cost incurred tradeoff. Additionally thesystem can receive an identification of a budget, e.g., from the systemadministrator, and determine recommended network changes to the network110 that fall within the budget.

Example Network Segmentation Recommendations

The system can also perform processes to determine maximum networksegmentation. That is, the system can determine a number ofcommunication paths between nodes in the network topology, and determinewhether the number can be limited. For instance, the system can limitthe number of communication paths from nodes that aren't critical tocritical nodes, or from nodes associated with low compromise values tonodes associated with high compromise values. To effect this recommendedsegmentation, the system can provide recommendations of networkcomponents, e.g., firewalls, proxy servers, and provide therecommendations as an overlay on the user interface graphs described inFIGS. 2A-2E.

Standardized Risk Assessment

In addition to the system providing recommendations to a systemadministrator, the system can be utilized by an insurance provider toquote potential insurance rates, e.g., premiums, to a company, forlosses incurred by networks being compromised. Since the system providesan actual analysis of the network, e.g., compromise values, compromiserisk values, and an analysis of user account and node access rights, theinsurance provider can determine accurate insurance rates. Additionally,the insurance provider can provide a questionnaire to a company abouttheir security protocols, e.g., access rights of employees, alarmsystems, and so on. The answers to this questionnaire can beincorporated by the insurance provider to determine insurance rates.

The insurance provider can determine insurance premiums by obtaining anaverage compromise value per node in the network, average compromisevalue per node in an identified critical area of the network, or anetwork compromise risk value. The insurance provider can then tie theabove information to one or more actuarial tables that identify costsfor insuring a company given the information. Additionally, theinsurance provider can generate actuarial tables for different sectorsof an economy, such as based on compromise risk values for multipleentities within each of those sectors. The various uses of compromiserisk values can advantageously be used by an insurance provider (andothers) to compare network security risks associated with each ofmultiple networks, such as those within the same vertical market orsector. For example, an administrator may compare risks associated withtwo different networks of a company to identify networks of relativehigher risk.

To determine actuarial tables, the insurance provider can receiveinformation from multiple companies identifying network compromise riskvalues (and/or underlying compromise values of particular nodes and/orcompromise risk values of particular nodes or user accounts), and usethe information to determine insurance rates. The insurance providertherefore has a look into the actual state of a broad segment of thenetworks utilized by companies, giving the insurance provider insightinto the proper insurance rates to quote. The insurance provider canalso provide information to a company identifying how risky theirnetwork is, e.g., the company has high compromise risk values or a highnetwork compromise risk value compared to its peers, or the company isgiving access to rights to too great a number of user accounts or nodescompared to its peers.

Example System Implementation and Architecture

FIG. 8 is a block diagram of one embodiment of the risk assessmentsystem 100, including example components and modules. In the embodimentof FIG. 8, the risk assessment system 100 includes the riskdetermination engine 330 and network identification engine 320 discussedabove with reference to FIG. 3. These “engines,” which are also referredto herein as “modules,” are configured for execution by the CPU 150 andmay include, by way of example, components, such as software components,object-oriented software components, class components and taskcomponents, processes, functions, attributes, procedures, subroutines,segments of program code, drivers, firmware, microcode, circuitry, data,databases, data structures, tables, arrays, and variables.

The risk assessment system 100 includes, for example, one or moreservers, workstations, or other computing devices. In one embodiment,the exemplary risk assessment system 100 includes one or more centralprocessing units (“CPU”) 150, which may each include a conventional orproprietary microprocessor. The risk assessment system 100 furtherincludes one or more memories 130, such as random access memory (“RAM”)for temporary storage of information, one or more read only memories(“ROM”) for permanent storage of information, and one or more massstorage device 120, such as a hard drive, diskette, solid state drive,or optical media storage device. Typically, the modules (or “engines”)of the risk assessment system 100 are connected to the computer using astandard based bus system. In different embodiments, the standard basedbus system could be implemented in Peripheral Component Interconnect(“PCI”), Microchannel, Small Computer System Interface (“SCSI”),Industrial Standard Architecture (“ISA”), and Extended ISA (“EISA”)architectures, for example. In addition, the functionality provided forin the components and modules of risk assessment system 100 may becombined into fewer components and modules or further separated intoadditional components and modules.

The risk assessment system 100 is generally controlled and coordinatedby operating system software, such as Windows XP, Windows Vista, Windows7, Windows 8, Windows Server, UNIX, Linux, SunOS, Solaris, iOS,Blackberry OS, or other compatible operating systems. In Macintoshsystems, the operating system may be any available operating system,such as MAC OS X. In other embodiments, the risk assessment system 100may be controlled by a proprietary operating system. Conventionaloperating systems control and schedule computer processes for execution,perform memory management, provide file system, networking, I/Oservices, and provide a user interface, such as a graphical userinterface (“GUI”), among other things.

The exemplary risk assessment system 100 may include one or morecommonly available input/output (I/O) devices and interfaces 110, suchas a keyboard, mouse, touchpad, and printer. In one embodiment, the I/Odevices and interfaces 110 include one or more display devices, such asa monitor, that allows the visual presentation of data to a user. Moreparticularly, a display device provides for the presentation of GUls,application software data, and multimedia analytics, for example. Therisk assessment system 100 may also include one or more multimediadevices 140, such as speakers, video cards, graphics accelerators, andmicrophones, for example.

The I/O devices and interfaces 110 provide a communication interface tovarious external devices such as, for example, the network 110 (FIGS.1-2). The network 110 may comprise one or more of a LAN, WAN, and/or theInternet, for example, via a wired, wireless, or combination of wiredand wireless, communication link. The network 110 communicates withvarious computing devices and/or other electronic devices via wired orwireless communication links.

Risk Determination of User Accounts and Network Accessible Systems

As described above, a system (e.g., the risk assessment system 100), candetermine a network topology of one or more networks, and throughinformation associated with the network topology (e.g., user accountaccess information, information describing each user account and networkdevice), can determine compromise risk values for each user account andnetwork device. This focus on determining compromise risk values can (1)greatly enhance the security of the analyzed networks and (2) quantifydamage that can be wrought through compromise of a given network deviceor user account. For example, a reviewing user (e.g., a securityofficer) can view not only an expected compromise risk of a networkdevice, indicating a weighted estimate of the cost associated with thecompromise, but also the compromise risks of all network devices incommunication paths with the network device. In this way, the system cansurface potentially hidden risks associated with a network, and shiftthe reviewing user's gaze from being focused on particular networkdevices to the entire network, afforded by access to the overall networktopology. That is, the system can determine an extent to which a networkdevice being compromised can affect the security of the entire network.

While the above description provides powerful insights into networks,the system can further enhance network security by more preciselypinning down metrics describing a likelihood of each network device anduser account being compromised, and more precisely defining the value(e.g., from an attackers perspective) of each user account and networkdevice on the networks.

Through more precisely defining value from the perspective of anattacker, the reviewing user can gain deeper insights into which networkdevices and user accounts are the most interesting to an attacker, andthus which network devices and user accounts need to be most lockeddown. For instance, the system can determine that network devices withparticular names (e.g., a domain controller), are at a great risk ofbeing attacked (e.g., a domain controller can provide access to othernetwork devices on the networks), and thus have a greater value.

As will be described, determining a likelihood of compromise (e.g., acompromise vulnerability as described below) and a value (e.g., acompromise value as described below) for a user account or networkdevice includes determining metrics that each measure an aspect of alikelihood of compromise and/or a value of an associated user account ornetwork device. For instance, a metric for determining a likelihood ofcompromise of a network device can include determining whether thenetwork device is executing applications known to be triviallyexploitable. Similarly, a metric for determining a likelihood ofcompromise of a user account can include determining whether accessingthe user account requires use of two factor authentication. The metricsfor a compromise vulnerability can be combined (e.g., weighted) todetermine an overall compromise vulnerability, and similarly the metricsfor a compromise value can be combined to determine an overallcompromise value, such as an overall compromise risk for a user, anetwork device, a network of users and network devices, and/or someother group (e.g., users associated with a same employee role, employeesassociated with a same office, network devices associated with a samefunctionality, and so on).

Coupling the expanded determination of value, with a likelihood of anassociated network device, or user account, being compromised, canprovide the reviewing user with an indication of the overall riskassociated with the network device, or user account. To visualize riskassociated with the networks, the system can generate user interfacesdescribing the risk associated with each user account and networkdevice. For instance, as illustrated in FIG. 9A, the system can map eachuser account, or network device, to a point in a chart mapped fromrespective values of compromise vulnerability and compromise value. Byscanning this generated chart, the reviewing user can identify networkdevices, or user accounts, with a high compromise value that also have ahigh compromise vulnerability, and thus should be monitored.

Furthermore, the system can monitor changes to compromise values andcompromise vulnerabilities of user accounts, and network devices, overtime. The reviewing user can then determine any positive, or negative,changes to the determined values and take remedial actions in response.For instance, the reviewing user can indicate goals to improvecompromise values and compromise vulnerabilities, and the system canmonitor whether the goals are positively affecting network security(e.g., an investment as will be described below).

The system can also obtain information describing external events (e.g.,outside of the control of an entity that maintains the networks) thatidentify real world events that inform, or affect, compromisevulnerabilities of network devices or user accounts. For instance, thesystem can monitor for compromises of domains storing user information,such as a web page, or system, being hacked (e.g., or otherwisecompromised), and subsequently user account information, or otherprivate information, being released (e.g., from a domain associated withthe web page). The system can obtain the compromised informationassociated with the external event (e.g., user account, or otherprivate, information), and determine whether any persons associated withuser accounts of the networks (e.g., employees) utilized the compromiseddomain, and if so, can raise the compromise vulnerabilities of theaffected user accounts (e.g., the persons may have utilized the samepasswords for their user accounts of the networks and the compromiseddomain user accounts). Similarly, the system can monitor for exploits ofhardware or software, identify affected network devices, and increasecompromise vulnerabilities associated with the affected network devices.In some implementations, the system can also remove, or disable, thecompromised software from the affected network devices (e.g., allowingthe reviewing user a one-stop shop to review network security andperform remedial actions).

By providing the above functionality in deceptively powerful userinterfaces, the system can facilitate greatly enhanced network security.In this way, the reviewing user can have greater faith in the health ofthe networks, and can provide customers, and other companies with aninterest in the security of the networks (e.g., an insurance company),more quantifiable assurances of the security of the networks.Furthermore, as described above, the system can also cause the removal,or disabling, of compromised software or, in some implementations,hardware utilized in network devices (e.g., the system can modifyoperating systems of the network devices to disable access to thehardware). In this way, the system can rapidly trigger fixes (e.g.,temporary fixes) to rapid time-sensitive exploits.

FIG. 9A is an example user interface 900 illustrating user account riskvalues of user accounts. The user interface 900, and additionaldescribed user interfaces, can be generated by the system (e.g., riskassessment system 100, or a presentation system in communication withthe system 100) and be provided as an interactive document (e.g., a webpage) for presentation on a user device (e.g., a terminal, a laptop, acomputer, a tablet), or other system, of a reviewing user (e.g., asecurity officer). In some implementations, the user interface 900, andadditional described user interfaces, can be generated by the userdevice (e.g., an application, such as an ‘app’ downloaded from anapplication store for execution on the user device, or other softwareexecuting on the user device). In these implementations, the user devicecan receive information (e.g., user account risk values) and present theinformation in user interfaces (e.g., according to user interfacetemplates stored by the user device).

The user interface 900 includes a graphical representation 902 of useraccount risk values of user accounts associated with one or morenetworks. As indicated above, each risk value is a combination (e.g., aweighted combination) of a compromise value (e.g., a measure describinga priority an attacker of the networks would place on compromising theuser account with respect to other user accounts) and a compromisevulnerability (e.g., a measure describing an ease at which the useraccount can be compromised).

As illustrated in the user interface 900, the graphical representation902 is a mapping (e.g., a chart) with a first axis 904, indicatingcompromise values, orthogonal to a second axis 906, indicatingcompromise vulnerabilities. Each user account is represented as a pointin the graphical representation 902 according to its associatedcompromise value and compromise vulnerability. For instance, aparticular user account 908 is illustrated in the upper right portion ofthe graphical representation 902, representing that the user account hasa high compromise value and a high compromise vulnerability. A reviewinguser (e.g., a security officer) can quickly view the graphicalrepresentation, and ascertain that the particular user account 908should be monitored, including taking remedial actions (e.g., as will bedescribed below with respect to investments) to lower the presentedcompromise vulnerability (e.g., visually ascertainable by a quickexamination of the particular user account's 908 position along theorthogonal axis 906).

The user interface 900 includes selectable options 910 to illustratechanges in user account risk values since a prior period of time (e.g.,a prior time during which user account risk values were determined). Forinstance, the reviewing user can select options to view changes thathave occurred since earlier the same day, since a prior day, since aprior month, since a prior quarter, and so on. In some implementationsthe reviewing user can indicate a particular time period of interest,and the system can determine changes in user account risk values sincethe indicated time period. Additionally, as described below, andillustrated in FIG. 28A, a time slider can be included, enabling thereviewing user to quickly slide between times of interest. Using thetime slider, the reviewing user can essentially view an animation ofchanging comprise risk.

After selecting a selectable option 910 specifying a prior period oftime, the system can access maintained information describing useraccount risk values, and determine, or obtain (e.g., from cachedpre-determined information) information indicating, prior user accountrisk values associated with the specified prior period of time. Thesystem can then determine changes in user account risk values (e.g., adifference from a present user account risk value to the prior useraccount risk value), and update the graphical representation toillustrate the respective change for each user account. In someimplementations, the system can generate an animation, video, and so on,which can be presented in the user interface 900. The generatedanimation, and so on, can illustrate each user account beginning at aninitial location in the graphical representation 902 (e.g., an initialuser account risk value determined at the selected prior time period)and transitioning to a present location in the graphical representation902 (e.g., a present user account risk value). In this way, thereviewing user can view positive or negative changes in user accountrisk values. In some implementations, the system can update thegraphical representation 902 to include two points for each user accountconnected by an edge, with each point indicating a different useraccount risk value. Furthermore, in some implementations each pointassociated with a user account can be illustrated as a particular colorcorresponding to the determined change. For instance, positive changes(e.g., reductions in user account risk values) can be particular colors(e.g., darker shades of green can indicate greater reductions), andnegative changes can be particular colors (e.g., darker shades of redcan indicate greater increases).

The user interface 900 further includes identifications of user accountswith associated user account risk values greater than a threshold (e.g.,a top user selectable threshold number of user accounts). Theidentifications can be presented in a list 912 organized according torespective user account risk values. Each user account can be selected,and information describing the user account can be presented in the userinterface 900. For instance, and as illustrated in FIG. 17, user profileinformation associated with the user account can be presented, alongwith indications of particular metrics that are causing the selecteduser account to have a high user account compromise value. Examples ofmetrics are described below, with respect to FIG. 12A-12B.

The user interface 900 can be updated to include information similar tothe above description for network devices 914, such that the reviewinguser can determine associated network device risk values for eachnetwork device.

As illustrated in FIG. 9B, the system can provide description of summarydata associated with user account risk values and/or network device riskvalues. For instance, the user interface 920 indicates metrics 922 thatare most affecting the network device risk values of network devices. Asan example, the system has determined one or more metrics indicatingthat a large percentage (e.g., greater than a threshold) of networkdevices are executing applications known to be trivially exploitable(e.g., comprised without extensive effort by a hacker). The userinterface 920 includes text 924 (e.g., the system can store textualdescriptions) describing the metric, and indicates a percentage ofnetwork devices 926 that are affected (e.g., executing exploitablesoftware), along with an indication of when the metric was lastimproved, for example from a previous determination of the metric.Additionally, the user interface 920 includes a percentage of criticalnetwork devices 928 (e.g., network devices indicated to the system asbeing critical, or network devices determined to be critical accordingto a name of the network device, such as a domain controller, oraccording to a determined critical area as described above in FIG. 2E).The system also identifies affected network devices as a graphicalrepresentation 930, which can be the graphical representation of allnetwork devices 932 filtered to only include affected network devices.

Similarly, the system has determined that a metric 934 affecting useraccount risk values is associated with administrative accounts havingexcessive privileges (e.g., as described above with respect to FIG. 5),and includes information describing the metric. In the example userinterface 920, the system has determined that “60” users haveunnecessary privileges, including “24” administrative users, and furtherindicates a most recent time that the metric has improved (e.g.,improved greater than a threshold, such as by a threshold percentagereduction of users, or by an actual threshold reduction in number ofusers).

FIG. 9C is an example user interface 940 illustrating modifications tonetwork device risk values caused by an external event. As describedabove, quantifying an external event (e.g., a real world event thatinforms, or affects, compromise vulnerabilities) can be difficult, andoften an entity (e.g., a corporation) will be unable to determine theseverity of an exploit to software or hardware.

The system can determine the degree to which an external event, such asa FLASH zero-day exploit as illustrated, affects network device riskvalues of network devices. For instance, the system can determine thatthe specific application affected by the external event (e.g., FLASH)can allow for an attacker to compromise a host network device, and canthus increase an associated value of a metric describing exploitableapplications. After modifying network device risk values of affectednetwork devices (e.g., network devices running FLASH), the system canprovide information describing the external event in the user interface940.

User interface 940 includes a graphical representation 942 of networkdevices mapped in a chart according to respective network device riskvalues as described in FIG. 9A. In some implementations, to illustratethe affect of the external event, the graphical representation 942 caninclude an animation, a video, and so on, which identifies (e.g.,highlights) affected network devices and illustrates their increase inassociated compromise vulnerability. In this way, the reviewing user canquickly review the graphical representation 942 to get a sense of howdeeply the external event affects the network devices.

Along with presenting information describing the external event, thesystem can facilitate remedial actions to be taken. FIG. 9D is anexample user interface 950 illustrating remedial actions 952 to be takenin response to an external event. As will be described (e.g., withrespect to FIG. 13), one or more network devices can include software(e.g., an agent) in communication with the system. The reviewing usercan interact with user interface 950 to immediately handle the externalevent, and reduce the network device risk values (e.g., by reducingcompromise vulnerabilities of affected network devices).

For instance, the user interface 950 includes remedial actions 952 to“kill” (e.g., kill processes associated with FLASH, remove FLASHentirely, and so on) FLASH on network devices with compromise valuesgreater than a threshold (e.g., the highest value network devices). Inthis way, the reviewing user can immediately reduce a threat to highvalue network device targets. The user interface 950 includes agraphical representation 954 of high value network devices that areaffected (e.g., the high value network devices can be highlighted).Similarly, the user interface 950 includes a remedial action 952 to“kill” FLASH on a majority of network devices 956, and on “top machines”958 (e.g., network devices with highest network device risk values, suchas a top threshold percent of network devices or a top thresholdnumber).

By providing the reviewing user the immediacy of information describingan external event, and then facilitating a remedial action to improvenetwork security, the system can better ensure that events outside thecontrol of the reviewing user can be dealt with proportionally to theirseverity.

FIG. 10 is a block diagram of one embodiment of the risk assessmentsystem 100, including example components and modules. The riskassessment system 100 includes many components similar to those in thesystem of FIG. 8, such as one or more central processing units (“CPU”)150, one or more memories 130, and one or more the modules (or“engines”), etc.

In the embodiment of FIG. 10, the risk assessment system 100 includes avalue determination engine 1010 (e.g., which can implement functionalitydescribed below with respect to FIGS. 12A-12B) and vulnerabilitydetermination engine 1020 (e.g., which can implement functionalitydescribed below with respect to FIG. 12A-12B). These “engines,” whichare also referred to herein as “modules,” are configured for executionby the CPU 150 and may include, by way of example, components, such assoftware components, object-oriented software components, classcomponents and task components, processes, functions, attributes,procedures, subroutines, segments of program code, drivers, firmware,microcode, circuitry, data, databases, data structures, tables, arrays,and variables.

FIG. 11 is a flowchart of an example process 1100 for generating userinterface data describing risk values associated with user accounts andnetwork devices of one or more networks. For convenience, the process1100 will be described as being performed by a system of one or morecomputers (e.g., the risk assessment system 100).

The system obtains configuration information describing network devices(block 1102). To analyze vulnerabilities of network devices, and thuslikelihoods that network devices can be compromised, the system obtainsconfiguration information for each network device. The configurationinformation can include types of software being executed on the networkdevice (e.g., applications, operating systems, and so on), hardwareincluded in the network device, network information associated with eachnetwork device, and so on.

The system obtains indications of user access rights of user accounts,and user account information of user accounts (block 1104). As describedabove, with respect to FIGS. 3-4, the system can obtain user accountaccess information (e.g., indicating actual access attempts to networkdevices, or accesses that are possible) identifying access rights ofuser accounts with respect to network devices, group membershipinformation of user accounts, and so on.

The system also obtains user account information of user accounts, whichcan include user profile information (e.g., an employee role associatewith each user account, a department in which the employee works,locations from which the user account is utilized), user account rulesenforced on the networks (e.g., whether two factor authorization isrequired, whether passwords need to be changed after an elapsed periodof time), network actions of user accounts (e.g., web pages visited byemployees associated with the user accounts, services accessed (e.g.,software services accessible over the Internet as will be described,user account transitions to subsequent user accounts), and so on.

The system determines network device risk values for one or more networkdevices (block 1106). The system determines compromise vulnerabilitiesand compromise values for the one or more network devices, and combines(e.g., weights) the determined information to determine network devicerisk values. Determining network device risk values is further explainedbelow, with respect to FIG. 12A.

The system determines one or more metrics that measure aspects of acompromise vulnerability and a compromise value for each network device.Each metric associated with a compromise vulnerability measures anaspect of a network device that is known, or assumed, to be associatedwith an increase in the network device being able to be compromised(e.g., by an attacker). For instance, an example metric measures thedegree to which a network device follows basic security practices (e.g.,practices set forth as one or more rules by a security officer),including whether the network device runs anti-virus software, securitysoftware, and so on. The example metric can increase in value dependingon the degree to which the network device is an outlier with respect tothe ideal values for the metric (e.g., an L2 norm associated with thepractices). In the described example, the value of the metric canincrease if a network device does not run anti-virus and/or securitysoftware. The system can then combine (e.g., weight) respective valuesof the metrics to determine a compromise vulnerability for each networkdevice.

Similarly, each metric associated with a compromise value measures anaspect of a network device that is known to increase the priority anattacker might place on compromising the network device. For instance,an example metric measures whether the network device is used by useraccounts with compromise values greater than a threshold. An attackermight place a high priority on a network device used by high value useraccounts, so that he/she can obtain log-in credentials (e.g., skim thecredentials) by compromising the network device.

The system determines user account risk values for one or more useraccounts (block 1108). As above, the system determines compromisevulnerabilities and compromise values for the one or more user accounts,and combines (e.g., weights) the determined information to determineuser account risk values. Determining user account risk values isfurther explained below, with respect to FIG. 12B.

The system determines one or more metrics that measure aspects of acompromise vulnerability of the user accounts. For instance, the systemcan determine whether user accounts are required to have changedpasswords periodically, and if not, the system can increase the metric,and thus compromise vulnerabilities, of all affected user accounts.Additionally, a metric can measure whether an employee, while logged-inas a user account, is known to visit web pages that are identified asmalicious. The system can obtain log data describing network actions toidentify web pages visited by user accounts.

The system determines one or more metrics that measure aspects of acompromise value of the user accounts. For instance, a metric canmeasure an importance of group membership information associated witheach user account. That is, the system can increase a value of themetric based on whether a user account is included in a group thatincludes user accounts associated with particular employee roles (e.g.,executive employees, security officers, and so on).

The system can optionally determine a risk value for the one or morenetworks (e.g., a total risk value), for all network devices (e.g., atotal risk value for the network devices), and for all user accounts(e.g., a total risk value for user accounts).

For instance, in some implementations the system can combine (e.g.,determine a measure of central tendency) of all risk values for networkdevices to determine a total risk value for the network devices, andsimilarly for user accounts. Additionally, the system can weight thetotal risk value for network devices and total risk value for useraccounts to determine a risk value for the networks.

In addition, the system can determine metrics associated withinformation of all network devices and/or all user accounts (e.g., somemetrics measure information for individual network devices and/or useraccounts as described in FIGS. 12A-12B).

That is, in some implementations the system can determine the belowinformation, and utilize the determined information to determine a totalrisk value of network devices, a total risk value of user accounts, anda total risk value of the networks.

For instance in determining a total risk value for the network devices,the system can determine a number of network devices (e.g. a totalnumber of network devices associated the networks), a number of inactivenetwork devices (e.g., a number of network devices with no active logonsin a prior time period such as 90 days), a number of machines runningvulnerable operating systems, a number of network devices that haven'tbeen analyzed to determine applications executing on the respectivenetwork device, a number of distinct applications running on thenetworks (e.g., on network devices included in the networks), apercentage of applications that are up to date (e.g., a currentversion), a percentage of commonly exploited applications that are up todate), a number of network devices with local administrator accounts onthem, and so on.

To determine a total risk value for the user accounts, the system candetermine a number of administrator accounts (e.g., a total number ofenterprise, domain, and built-in accounts on the networks, a recommendedvalue for each is less than a threshold such as 10, 12, 20), a number ofenabled administrator accounts (e.g., a total number of usableadministrative accounts), a number of stale administrator accounts(e.g., a number of administrative accounts with no logons in a priortime period such as 30 days) a number of administrative accounts withold passwords (e.g., a number of accounts with passwords that haven'tbeen changed in longer than a threshold such as 180 days), a number ofadministrative accounts not using two factor authentication (e.g.,number is to preferably be less than or equal to a threshold such as 0,1, 2), a number of distinct local administrator accounts, and so on.

To determine a total risk value for the networks, the system can combinethe above determined information, along with information including, anumber of secure to non-secure communication paths (e.g., a number ofdetected network paths between a secure and non-secure portion of thenetwork), a number of secure to external communication paths, a numberof low volume connection paths (e.g., a number of communication pathsthat are rarely traversed). Determining communication paths (e.g.,secure, non-secure connections, which can be determined from a networktopology, and so on) are described above, with respect to FIGS. 2A, 6,and so on).

The system generates user interface data describing the determined riskvalues (block 1110). As illustrated in FIGS. 9A-9D, the system generatesuser interface data for presentation on a user device. Utilizing theuser interfaces, a reviewing user can monitor risk values of networkdevices and user accounts, enabling the reviewing user to determinewhether the overall security of the networks is improving.

To facilitate this enablement, the system monitors network device riskvalues and user account risk values (block 1112). The system determinesrisk values periodically, and maintains (e.g., in one or more databases)multitudes of risk values for each network device and user account overlengths of time.

The system generates user interface data describing the monitored riskvalues (block 1114). As illustrated in FIGS. 9A-9B, the system cangenerate user interface elements that illustrate the change in riskvalues. Using these generated user interfaces, the reviewing user canexamine quantifiable empirically generated evidence regarding the riskof user accounts and network devices associated with the networks.

FIG. 12A is a flowchart of an example process 1200 for determining anetwork device risk value of a network device. For convenience, theprocess 1200 will be described as being performed by a system of one ormore computers (e.g., the risk assessment system 100).

The system determines metrics measuring aspects of a network devicecompromise vulnerability (block 1202). As described above, a networkdevice compromise vulnerability is a measure describing a likelihood anetwork device can be compromised (e.g., by a malicious actor). Todetermine the network device compromise vulnerability, the systemdetermines multitudes of metrics that each measure a particular aspectof an increase in likelihood of compromise. While examples of metricsare described below, it should be understood that the examples are notexhaustive, and additional metrics can be included. Additionally, thesystem can utilize less than the total of the metrics described below todetermine a network device compromise vulnerability.

The system determines a metric measuring the network device'sconformance to one or more best practice guidelines for basic security.An entity (e.g., a corporation, governmental entity) can generate bestpractice guidelines that indicate base network device configurationsthat are acceptable within the entity. The system can access informationdescribing the guidelines, and measure a distance from the guidelinesthat the actual configuration information for the network deviceindicates. For instance, the guidelines can indicate that each networkdevice is to execute an anti-virus software, or a particular type orversion of anti-virus software, along with other monitoring softwareincluding software to scan files received in e-mails, firewall softwareexecuting on the network device, and so on. The system obtains theconfiguration information for the network device, and determines whetherthe network device conforms to the guidelines. For each determinedinstance of non-conformity (e.g., lack of an anti-virus software) thesystem can increase a value associated with the metric. Additionally,the system can increase the value by varying amounts depending on thedistance from the ideal described in the guidelines (e.g., if thenetwork device runs anti-virus software which hasn't had its virusdefinition data updated recently, the value can be lower than if thenetwork device fails to run anti-virus software at all). Similarly, thesystem can increase the value by varying amounts depending on aweighting, or importance, that is associated with each best practice(e.g., not having anti-virus software can be weighted higher thansoftware to scan files received in e-mails).

The system determines a metric measuring a degree to which the networkdevice is running (e.g., executing, or just merely installed oravailable to be run on the network device) software that is known to beexploitable. The system can obtain information describing exploits ofsoftware, and obtain information describing software on the networkdevice (e.g., the system can communicate with an agent executing on thenetwork device, or the system can access configuration information forthe network device) to determine whether the network device is runningexploitable software. As an example of obtaining exploits of software,the system can utilize the Common Vulnerability Scoring System (CVSS) todetermine exploits. The system increases the value associated with themetric depending on the exploit associated with the software (e.g.,software exploits that allow for the complete compromise of the networkdevice can have a higher value than other exploits). For instance, thesystem can access the value assigned to the exploit by the CVSS (e.g., anumber between 1 and 10). Similarly, the system can increase the valueassociated with the metric depending on a number of softwareapplications known to be exploitable, or that have had exploits in thepast. Furthermore, even if the network device executes software thatdoes not have any presently known exploits, the value associated withthe metric can be increased if the software is known to have hadexploits in the past, or is of a type that commonly has exploits (e.g.,web browsers are known to have exploits, which can be undiscoveredpublicly but utilized in the wild, for instance by malicious actors).

The system determines a metric measuring a level of inactivity of thenetwork device. The system determines whether the network device hasbeen inactive for greater than one or more threshold time periods, witheach threshold being associated with a particular value for the metric.For instance, a network device that is rarely used can be unnecessary tothe networks, and can be at an increase likelihood for compromise as anattacker might assume it is rarely monitored.

The system determines a metric measuring numbers of shared localadministrator accounts that can access the network device. The systemincreases a value associated with the metric according to increasingnumbers of shared local administrator accounts. Since an administratoraccount affords great permissions with respect to the network device(e.g., and thus other network devices it's in communication with, asdescribed above), the number of these accounts are to be kept at aminimum. Specifically, network administrators have reduced visibilityand oversight of local administrator accounts as they are not centrallymanaged, thus causing the network device to be at a greater likelihoodof compromise.

The system determines a metric associated with information describingencryption of the network device. In some implementations, the systemcan indicate that the value associated with the metric is binary,indicating whether the network device utilizes encryption. In someimplementations, the system can increase the value depending on the typeof encryption utilized. For instance, an encryption standard known tonot have any exploits, or be at a risk of being compromised, can have alow value. An encryption standard known to not be as secure, can have anincreased value.

The system determines a metric describing the network connectivity ofthe network device. The system can increase a value associated with themetric according to a degree at which the network device can beaccessed. For instance, if the network device is accessible over theInternet, the value can be high, whereas if the network device is onlyaccessible through an Intranet (e.g., which may connect to the Internetthrough a different network device), the value can be lower.

Additionally, the system determines a metric describing a number ofpaths to the network device (e.g., which can be based on a determinednetwork topology, as described above with respect to FIG. 2A-2D). Thegreater the number of paths to the network device, the more likely itcould be that the network device can be accessed, and potentiallycompromised. Similarly, a metric can determine communication paths, andnetwork connectivity, to the network device from other network devicesindicated as being valuable, or that have associated compromise valuesgreater than a threshold.

After determining one or more of the described metrics, the systemcombines (e.g., weights) the respective values to determine an overallvalue. The network device compromise vulnerability can be determinedfrom the overall value. For instance, overall values can be separatedinto ranges, with each range being associated with a respectivecompromise vulnerability. Additionally, the overall values can benormalized against a maximum overall value, or an average overall value,to determine the compromise vulnerability. In some implementations, thesystem can provide the overall value, or each measured value, to amachine learning algorithm which classifies values according toempirically determined compromises of network devices, and the machinelearning algorithm can indicate a compromise vulnerability. Similarly,in some implementations the system can provide each value of anassociated metric to a machine learning algorithm (e.g., a k-meansclustering algorithm) to cluster network devices according to the valuesof the determined metrics. The machine learning algorithm can thenprovide a compromise vulnerability for the network device.

Upon determining the compromise vulnerability for the network device,the system stores information describing the compromise vulnerability(e.g., time stamp associated with the determination, values of metrics,and so on) in one or more databases.

The system determines metrics measuring aspects of a network devicecompromise value of the network device (block 1204). As described above,a network device compromise value is a measure indicating a prioritythat an attacker would place on compromising the network device. Whileexamples of metrics are described below, it should be understood thatthe examples are not exhaustive, and additional metrics can be included.Additionally, the system can utilize less than the total of the metricsdescribed below to determine a network device compromise value.

The system determines a metric describing a type of operating systembeing run by the network device. The system can increase a valueassociated with the metric depending on whether the operating system isa consumer type (e.g., an operating system utilized on commonlypurchased computers, laptops) or a type associated with the maintenanceof networks (e.g., a server operating system, such as LINUX or other*NIX based operating systems).

The system determines a metric associated with a name, or otheridentifier, of the network device. For instance, an attacker can value anetwork device more highly if the network device has a name generallyaccepted to indicate that it has greater privileges than other networkdevices (e.g., a domain controller). The system can access informationdescribing names that have been determined to indicate more valuablenetwork devices, and can compare a name of the network device to theaccessed information. The system can then increase a value associatedwith the metric based on the comparisons (e.g., a domain controller canbe a highest value, and a name indicating a personal laptop can be alower value). Similarly, if a particular identifier, or portion of anidentifier, is associated with systems that are known to have value, thesystem can increase a value of associated with the metric. That is, evenif the identifier is not publicly known to indicate an importance (e.g.,increase in value), an attacker may determine the information (e.g.,from information indicating user accounts that access the networkdevice, from one or more files explaining naming conventions, and soon), which can increase the compromise value of the network device.Optionally, the system can increase a value associated with the metricto a greater degree if the network device is associated with a name thanif the network device is associated with an identifier, or portion ofidentifier.

The system determines a metric associated with applications, or othersoftware, being run (e.g., executed) on the network device. The systemcan obtain information identifying applications that indicate thenetwork device is utilized to maintain the networks, or deal withnetwork security. The system can then compare the identifiedapplications to applications running on the network device, and increasea value associated with the metric depending on the comparisons (e.g.,increase proportionally). For instance, applications that can beutilized to configure server systems, user accounts, update permissionsand privileges, and so on, can cause the system to increase the value.

The system determines a metric associated with user accounts that accessthe network device. As described above, with reference to FIG. 11, thesystem obtains user account access information, and can determine useraccounts that can access, or are known to access, the network device.The system can increase a value associated with the metric depending ona number of user accounts that access the network device with associateduser account compromise values greater than a threshold. The system canalso increase the value depending on the particular user accountcompromise values (e.g., proportionally to the user account compromisevalues). Since valuable user accounts are likely to access valuablenetwork devices, the system can determine valuable network devices basedon actual actions taken by the valuable user accounts.

Similarly, the system can determine the most common user account thataccesses the network device, and can increase the network devicecompromise value based on the user account compromise value of the mostcommonly utilized user account. That is, if the most common user accountis highly valuable, the system can determine that the network device isalso valuable.

Additionally, the system can determine a metric associated with a costthat would be incurred if the network device is compromised (e.g., asdescribed above with respect to FIG. 4). The system can increase a valueassociated with the metric depending on the determined cost (e.g., inproportion to the determined cost, for instance with respect to othernetwork devices).

In some implementations, the system can determine a metric describingwhether the network device is included in a secure area of the networks,or connects to network devices in secure areas (e.g., as described abovewith respect to FIG. 2 using a network topology), and can increase avalue associated with the metric accordingly.

Similar to determining the network device compromise vulnerability, thesystem can combine the determined metrics to determine a network devicecompromise value for the network device. In some implementations, thesystem can receive information (e.g., from a security officer)indicating a ranking of the most valuable network devices. The systemcan initially determine network devices associated with the highestnetwork device compromise values, and then present the determinednetwork devices for ranking by the security officer, or other employee.The network device compromise values of the network devices ranked bythe security officer can be greater than remaining network devices, andproportional to the particular ranking.

The system combines the network device compromise vulnerability andnetwork device compromise value into a network device risk value (block1206). As illustrated in FIG. 9A, the risk value is a linear combinationof the compromise vulnerability and compromise value. In someimplementations, the system can weight the compromise vulnerability andcompromise value, and normalize the result to determine the risk value(e.g., the compromise value can be weighted greater than the compromisevulnerability). In some implementations, the system can provide thedetermined compromise vulnerability and compromise value to a machinelearning algorithm trained on labeled data to determine a network devicerisk value for the network device. The system stores informationdescribing the determined network device risk value (e.g., in one ormore databases).

FIG. 12B is a flowchart of an example process 1250 for determining auser account risk value of a user account. For convenience, the process1250 will be described as being performed by a system of one or morecomputers (e.g., the risk assessment system 100).

The system determines metrics measuring aspects of a user accountcompromise vulnerability of the user account (block 1252). As describedabove, the user account compromise vulnerability is a likelihood that anattacker can compromise the user account.

The system determines a metric indicating a length of time from whichthe user account was last used. User accounts that haven't been used ina while (e.g., a user selectable period of time, such as a month, ayear) can be at a greater risk for compromise. For instance, an employeeassociated with the user account can no longer be employed at an entitywhich maintains the networks, causing the user account to beunnecessary, and at a greater risk of compromise. Additionally, if thesystem is an administrator account, the value can increase more sharplyaccording to when the account was last used (e.g., if the administratoraccount hasn't been used for a week, or a month, the value can increasehigher than a non-administrator account which hasn't been used for thesame period of time).

The system determines a metric indicating whether the user accountrequires two-factor authentication to be utilized. Since two-factorauthentication provides an added degree of assurance that a correctperson (e.g., an employee approved to use the user account) is utilizingthe user account, the user account compromise vulnerability can belower. Similarly, if the user account does not utilize two-factorauthentication, the system can increase a value associated with the useraccount compromise vulnerability (e.g., the system can increase thevalue higher if network guidelines indicate user accounts are supposedto, or are recommended to, active two factor authentication).

The system determines a metric associated with a length and/orcomplexity of the user account's password. For instance, a valueassociated with the metric can be increased if the user account islikely to be compromised utilizing a dictionary-based attack, or abrute-force attack depending on the length of the password.

The system determines a metric associated with web pages visited by theuser account. The system can obtain information describing a networkhistory of the user account, and increase a value associated with themetric based on an analysis of the visited web pages. For instance, webpages known to of a particular type (e.g., torrent web pages), or knownto be associated with malicious software (e.g., malware), can cause thevalue to be increased.

The system determines a metric associated with successful phishingattempts. In some implementations, the system can obtain informationdescribing historical phishing attempts on the user account, and whetherthey were successful. For instance, an entity that maintains thenetworks can periodically send phishing e-mails to user accounts, tomonitor whether employees associated with the user accounts fall to thephishing attempt trap and provide improper private information. Thesystem can analyze the historical performance of these test phishingattempts, along with actual malicious phishing attempts, and increase avalue associated with the metric accordingly.

Additionally, the system determines a metric associated with networkdevices the user account logs into. For instance, if the user accountcommonly accesses a particular network device with a high compromisevulnerability, or that is known to have been compromised within a priorselectable time period, the system can increase a value associated withthe metric. That is, the system can determine that the user accountcredentials can be skimmed more easily if an attacker can compromise themain network device the user account utilizes.

After determining one or more of the above metrics, the system candetermine a compromise vulnerability of the user account (e.g., asdescribed above with reference to FIG. 12A).

The system determines metrics measuring aspects of a user accountcompromise value of the user account (block 1254). As described above, auser account compromise value indicates a priority that an attackerwould place on compromising the user account (e.g., with respect toother user accounts).

The system determines a metric describing privileges and permissionsassociated with the user account. For instance, the system can increasea value associated with the metric depending on user account accessrights of the user account (e.g. whether the user account can accessnetwork devices with high compromise values). Additionally, the systemcan increase the value depending on whether the user account is anadministrator account, a local administrator account, or other useraccount which can escalate, or otherwise modify, privileges of otheruser accounts or network devices. Similarly, the system can increase thevalue if the user account is associated with other user accounts thathave increased privileges. For example, an employee can have a firstuser account (e.g., for normal use), and a second user accountassociated with an increase in privileges (e.g., for very particularuses). The system can increase the value for the first user account, asthe first user account can, in part, lead to access to the second useraccount.

The system determines a metric associated with a name of the useraccount. The system can increase a value associated with the metricdepending on whether the name includes text that indicates that the useraccount has an importance with respect to the networks. For instance,the system can determine whether the user account includes “admin”,“it”, “service”, “ops”, and so on. Upon a positive determination thesystem can increase the value. Similar to the above discussion regardingan identifier of a network device leading to an increase in the value,an identifier (e.g., a name, portion of name, numbers or charactersincluded in the name, and so on), can also lead to an increase in thevalue.

The system determines a measure associated with group membershipinformation of the user account. The system can determine, for everygroup, a distance from the group to a group including a user accountassociated with one or more executives (e.g., the chief executiveofficer), and can assign a value to the group based on the distance. Inthis way, the system can determine that user accounts closer toexecutives, can more easily access user accounts of the executives, andare thus greater in value. Specifically, these user accounts mayotherwise be less protected than the executive accounts themselves, andcan thus be used as a gateway into the more valuable executive accounts.

The system determines a metric associated with network devices the useraccount logs onto. The system can obtain indications of network devicecompromise values, and increase the user account compromise value basedon whether the user account is known to, or can, log-into high valuenetwork devices (e.g., increased proportionally to the number of networkdevices).

The system determines a metric associated with user accounts the useraccount is known to transition to, or user accounts used to transitionto the user account. For instance, if the user account is known totransition to a user account with administrator privileges (e.g., a sameemployee can have a user account utilized commonly, and a privilegeduser account to perform administrative functions), a value associatedwith the metric can be increased.

Additional metrics can include metrics associated with an employee roleof the user account (e.g., network security employees, executives, andso on can have a greater value for this metric than assistants), whetherthe user account is enabled (e.g., non-enabled user accounts that can nolonger be utilized can have a lower compromise value).

The system combines the metrics to determine a user account compromisevalue for the user account (e.g., as described above).

The system combines the user account compromise vulnerability and useraccount compromise value to determine a user account risk value (block1256). As described above, with reference to FIG. 12A, the system cancombine the compromise vulnerability and compromise value to determinean overall risk value for the user account.

FIG. 13 is a flowchart of an example process 1300 for generating userinterface data describing an external event. For convenience, theprocess 1300 will be described as being performed by a system of one ormore computers (e.g., the risk assessment system 100).

The system obtains information describing an external event (block1302). As described above, an external event is a real-world event thatinforms, or affects, a likelihood of a user account or network devicebeing compromised. One or more employees can monitor news regardingexternal events, and provide information to the system describing anyidentified external events.

For an external event associated with user accounts, the system canreceive, for example, a data dump of a compromised server system. Forinstance, if a web page is compromised by an attacker, the attacker canrelease personal information maintained by servers that host the webpage, such as user account log-ins/passwords, personally identifiableinformation, and so on.

For an external event associated with network devices, the system canreceive, for example, information describing software or hardware thatis affected by the external event. For instance, the system can receiveinformation describing that a particular application allows for aparticular type of exploit (e.g., an exploit in which an attacker canescalate privileges, an exploit in which an attacker can gain rootaccess of a network device, and so on).

In some implementations, the system can actively scan for, and obtain,information describing external events. For instance, the system canmonitor news articles for external events, and upon identification, canparse the news article to determine the scope of the event. Forinstance, an article might identify that an exploit was determined for aparticular application which allows for a particular exploit. The systemcan then store the parsed information. Similarly, the system candetermine that a web page was hacked, and either attempt to search forthe data dump, or contact a person (e.g., a security officer) alertinghim/her to the determined hacking.

The system modifies compromise vulnerabilities of user accounts and/ornetwork devices (block 1304). After obtaining information describing theexternal event, the system determines user accounts and/or networkdevices that are affected by the external event.

For an external event associated with user accounts, the system scansthrough the released data for user account, or personally identifiableinformation, associated with user accounts of the networks. Forinstance, an employee may utilize the same user account name for work asfor other web pages. The system can therefore scan through the releaseddata for user account names that are the same, or similar, to useraccounts of the maintained networks. Similarly, the system can scanthrough the released data for personal information (e.g., name, address,phone number, and so on) that corresponds to personal information ofemployees. The system can then increase the compromise vulnerability ofaffected user accounts, and in some implementations notify the useraccounts to change their passwords, or force a change in password. Insome implementations, the system can determine one or more metrics thatare affected by the external event. For instance, the system canincrease a metric associated with passwords of user accounts, since theaffected user accounts may have had their passwords compromised.Additionally, the system can increase a metric associated with phishingattempts, sine the affected user accounts may receive increased phishingattempts, or blackmail attempts.

For an external event associated with network devices, the system candetermine (e.g., from configuration information, or from agentsexecuting on network device) which network devices execute affectedsoftware, or include affected hardware. The system can then raise thecompromise vulnerabilities of the affected network devices.Additionally, as described in FIGS. 9C-9D, the system can enable areviewing user to stop the exploited application from executing on theaffected network devices, or can disable (e.g., in operating systemsexecuting on the network devices) the hardware in the affected networkdevices.

Similarly, for an external event associated with the network devices,the system can modify (e.g., raise) user account compromisevulnerabilities of user accounts that commonly (e.g., greater than athreshold) access affected network devices.

The system generates user interface data describing the external eventand modified compromise vulnerabilities (block 1306). As illustrated inFIGS. 9C-9D, the system can generate user interface data forpresentation describing an external event. Additionally, the system caninclude functionality to stop affected applications or hardware (e.g.,through communications with agents or other software executing on theaffected network devices).

FIG. 14 is a flowchart of an example process 1400 for monitoring networksecurity investments implemented in the networks. For convenience, theprocess 1400 will be described as being performed by a system of one ormore computers (e.g., the risk assessment system 100).

The system receives user input specifying an investment to be made tonetwork security (block 1402). As described above, an investment is oneor more goals, that when implemented, each reduce a risk value of one ormore user accounts and/or one or more network devices. The system candetermine investments that will most reduce risk values by analyzingwhich metrics are most commonly raising compromise vulnerabilities orcompromise values of user accounts and/or network devices.

For instance, the system can determine that a metric associated withexploitable applications on network devices is affecting greater than athreshold (e.g., a threshold percentage) of network devices. That is,the system can determine that a large number of network devices areexecuting applications that are raising compromise vulnerabilities.Additionally, the system can determine that network devices which don'thave a use for the application are executing the application (e.g., aserver system that is executing FLASH). The system can then determinethat an investment to remove the exploitable application will bebeneficial.

Similarly, the system can determine that forcing user accounts toimplement two-factor authentication will lower user account risk values.Additional examples can include an investment to remove inactive networkdevices, remove user accounts with administrative privileges thathaven't been used in a threshold time period, and so on.

The system can receive a selection of an investment (e.g., a determinedinvestment), or the system can receive information describing aninvestment (e.g., a reviewing user can indicate that he/she willimplement a particular investment).

The system monitors risk values as the investment is implemented (block1404). As described above, with reference to FIG. 11, the systemmonitors risk values of user accounts and network devices periodically.

The system generates user interface data describing the investment andmonitored risk values (block 1406). As illustrated in FIG. 21, thesystem can present information describing all investments beingimplemented, along with prior implemented investments. The system canmonitor a decrease in values associated with particular metrics as eachinvestment is being implemented, and provide summary informationassociated with the investment for presentation to the reviewing user.In this way, the reviewing user can actively monitor how actions toimprove network security are affecting risk values.

FIG. 15 is an example user interface 1500 illustrating summaryinformation of network devices and user accounts. The user interfaceincludes a user account risk value 1502 of all user accounts along witha network device risk value 1504 of all network devices. The system cancombine risk values of each user account and each network device togenerate an overall risk value, providing a reviewing user (e.g., asecurity officer) with a quick overview of risk.

The user interface 1500 further includes indications of summaryinformation 1506 associated with particular metrics used to determinecompromise vulnerabilities and/or compromise values. The system canselect metrics that are most affecting the risk values of user accountsand/or network devices, and include summary information describing eachmetric. For instance, the system has determined that a metric associatedwith a number of privileged user accounts (e.g., administrativeaccounts) has improved by 3.2% (e.g., since a user selectable timeperiod 1516), representing a decrease in user account risk values.Similarly, a number of user accounts that use two factor authenticationhas decreased by 0.6%, representing an increase in user account riskvalues.

For more detailed information, each metric included in the summaryinformation 1506 can be selected, and a graphical representation oftrends 1508 can be presented. The graphical representation 1508 includesa chart associated with the metric (e.g., as illustrated a number ofprivileged users). The chart identifies raw values associated with themetric mapped to points in time, and can therefore illustrate increasesand decreases that are associated with the metric.

Additionally, the user interface 1500 includes identifications of “topinvestments,” 1510 which as described above, are investments that aredetermined to cause the greatest reduction in risk values of useraccounts and/or network devices. For investments presently beingimplemented, the user interface 1500 includes an option to “view” 1512the progress of the implementation. In some implementations, selectingthe option to view 1512 the progress can cause the user interface 1500to be updated with detailed information regarding the investment, asillustrated in FIG. 21. For investments not presently being implemented,the user interface 1500 includes an option to “assign” 1514 theinvestment, and begin implementation.

FIG. 16 is an example user interface 1600 illustrating compromise valuesand compromise vulnerabilities. As in FIG. 15, the user interface 1600includes an overall user account risk value and network device riskvalue. Additionally, the user interface 1600 includes a weightedcombination of each overall risk value, which is an overall risk value1602 for the networks.

The user interface 1600 further includes a graphical representation 1604of user account risk values and network device risk values, which can beassigned a particular color based on respective risk values (e.g., greencan represent low risk values, and red can represent high risk values).

The user interface 1600 further identifies top investments 1606 thathave been implemented, and the resulting decrease in user account riskvalue or network device risk value. Additionally, “top concerns” 1608are included which identify user accounts and/or network devices thathave the most change in associated risk values (e.g., in a userselectable period of time 1610).

Each user account and network device included in the graphicalrepresentation 1604 can be selected, and upon selection informationdescribing the selected user account or network device can be presented.

FIG. 17 is an example user interface 1700 illustrating selection of auser account. Using the user interface 1700, the reviewing user canquickly ascertain why the selected user account is indicated in theupper right quadrant (e.g., high user account risk value).

As illustrated, a user account associated with a name of “Net Admin” wasselected by the reviewing user. The user interface 1700 providesinformation 1702 describing metrics that are most causing the selecteduser account's user account compromise vulnerability and user accountcompromise value. For instance, the system has determined that theselected user account's compromise vulnerability is “Very High” becausethe user account “hasn't been used in 3 years,” doesn't use two factorauthentication, and has logged in greater than a threshold number ofnetwork devices (e.g., “499 machines.”) Similarly, the system hasdetermined that the selected user account's compromise value is “VeryHigh” because the user account “can administer 7/9 domains,” “is anenterprise administrator” (e.g., an administrator with high privileges),and “has admin in the name.”).

FIG. 18 is an example user interface 1800 illustrating user accountsgrouped together according to employee department. Instead of merelyviewing user account risk values of each user account, the reviewinguser can select an option 1802 to view user accounts grouped accordingto department.

Upon selection of the option 1802, the system can combine user accountcompromise vulnerabilities and user account compromise values of eachrespective department, to determine overall values for the department.The overall values for each department can then be included in agraphical representation 1804. As illustrated in FIG. 18, each group isrepresented as a circle included in the graphical representation 1804.In some implementations, a size of the circle (e.g., a radius) candepend on a number of user accounts associated with the respectivedepartment. In some implementations, a size of the circle can depend ona variance of user account compromise values and user account compromisevulnerabilities (e.g., the radius can increase if user accounts havelarger varying risk values).

Through the use of user interface 1800, the reviewing user can quicklydetermine which departments need to be focused on to reduce risk values.Additionally, the reviewing user can select “Infrastructure” 1806 toview network devices organized according to infrastructure.

FIG. 19 is an example user interface 1900 illustrating summaryinformation associated with one or more metrics. The user interface 1900includes indications of metrics 1902, and whether the metric hasimproved or gotten worse in a user selectable time period. For instance,the system has determined that the “% of non-compliant valuable systems”(e.g., systems that follow basic network security guidelines asdescribed above) has improved by 0.8%. Additionally, the user interface1900 includes an option to search for a particular metric. The reviewinguser can provide a search query (e.g., a natural language search query),which the system can receive and parse to determine a matching metric.

Each metric can be selected, and network devices and/or user accountsaffected by the metric can be identified (e.g., highlighted) in thegraphical representation 1904. For instance, the reviewing user hasselected “% of non-compliant valuable systems,” and four network devicesare identified in the graphical representation 1904.

The user interface 1900 further includes detailed information 1906associated with the selected metric. For instance, the detailedinformation 1906 indicates that “25%” of the identified network deviceshave anti-virus software. Additional information is included below.

FIG. 20 is an example user interface 2000 illustrating trend informationassociated with a selected metric. The trend information 2002 includestextual descriptions of events (e.g., external events) that affected thecompromise vulnerabilities of user accounts and/or network devices.

FIG. 21 is an example user interface 2100 illustrating summaryinformation associated with presently occurring investments and a feed2102 describing events. The user interface 2100 includes a feed 2102 ofevents of importance to the reviewing user, including external events2104, particular goals of reducing metrics 2106 (e.g., included ininvestments), and so on.

Furthermore, the user interface illustrates investments 2108 that arepresently occurring, and the investment's affect on particular metrics(e.g., “First Metric” has a reduction of 3.9%). By using user interface2100, the reviewing user can quickly view an overview of all investmentsbeing made, and returns on the investments (e.g., reductions inmetrics).

FIGS. 22-24 are additional user interfaces illustrating additionalembodiments. For instance, FIGS. 22-24 illustrate metrics associatedwith network devices and user accounts.

FIG. 24 illustrates a total risk value for the networks, user accounts,and network devices. Additionally, FIG. 24 illustrates a network map,illustrating a network topology of the networks and associated riskvalues for a node in the network topology. The system can determine riskvalues of all network devices included in a node (e.g., a node thatincludes all ‘SQL Servers’). In this way, the reviewing user can examinethe network topology, and quickly identify which nodes are associatedwith a highest risk (e.g., user account risk value, network device riskvalue, and so on).

Manipulating Metrics

While determining risk values (e.g., compromise risk), as describedabove, can offer powerful insights into risk associated with a networkdevice or user account, certain metrics (e.g., metrics measuring aspectsof compromise value or compromise likelihood) may be of added, or extra,importance to particular networks. Additionally, for a particularnetwork, certain aspects of the network may be particularly important toa company, and an existing metric (e.g., as described above), may notcapture the aspects' importance to a degree sufficient to the company.

A user (e.g., a security officer) can therefore modify, or create, oneor more metrics (e.g., using one or more user interfaces generated by,or that can provide information to, the risk assessment system 100),which can be applied to the user's network(s). As will be describedbelow, the user can specify features, aspects, and so on, of a useraccount or network device the user is interested in, and specify how theinterested features, aspects, are to be measured. In this specification,a feature, or aspect, (hereinafter both referred to as an aspect) of auser account or network device is any describable property of the useraccount or network device that can inform or affect a risk of the useraccount or network device, including a property associated with a status(e.g., whether the user account or network device is enabled on anetwork), network action (e.g., a logon by a user account; communicationprovided to, or received by, a network device; information stored oraccessible by the network device; software executing on the networkdevice, and so on), privilege information (e.g., user accountprivileges), label information (e.g., an employee associated with theuser account is an executive, a network device is indicated as beingimportant), and so on.

For example, and as illustrated in FIGS. 25C-25D, a user can create ametric associated with measuring numbers of network devices that are (1)enabled (e.g., active on the networks, or that have at least onecommunication path with one or more other network devices as indicatedby a determined network topology) and (2) execute a particular operatingsystem (e.g., particular type of operating system, particular type of aparticular version, and so on). Upon creation, the metric can be appliedto live data associated with the networks, for instance in theabove-described example, the system can access configuration informationof each network device, and optionally network topology information, anddetermine a value associated with the measure. In this way, networkdevices and/or user accounts that are affected by the metric can beidentified (e.g., a network device or user account affected by a metriccan represent that a value of the metric for the network device or useraccount is greater than zero or has a Boolean True value, similarly anetwork device or user account affected by a metric can represent thatthe network device or user account conforms to the aspects associatedwith the metric).

When creating a metric, the user can select from among a list of aspectsassociated with a user account or network device, with the listincluding, in some implementations, aspects that are common to mostnetworks. For example, the list can include a name of a user account ornetwork device, a time since a user account or network device was lastaccessed, particular software being executed on a network device, and soon. Additionally, the user can define particular aspects that can bespecific to the user's network, and utilize these defined aspects whencreating a metric, or modifying a different metric. For instance, a userassociated with the Air Force can specify that a list of network devices(e.g., IP addresses of the network devices, or other identifiers of thenetwork devices) are associated with particularly sensitivefunctionality or information. That is, the user can import information(e.g., information specifying the network devices), and the user canidentify (e.g., label) the specified information. The user can define afeature associated with the list, for instance a feature labeled“isMissile,” indicating that the network devices, for example, maintaininformation associated with missile locations. When creating metrics,the user can utilize the “isMissile” label, and the system can accessthe list of network devices when applying the created metrics. In theabove described example of operating system type, the user can create ametric measuring numbers of network devices that (1) are enabled, (2)execute a particular operating system, and (3) are associated with the“isMissile” label (e.g., are identified in the list). In this way, theuser can monitor these network devices, and define an easy shorthand toreference the network devices. Similarly, the user can modify the metricto measure numbers of network devices that are in communication pathswith network devices that satisfy the above three (3) elements (e.g.,utilizing a determined network topology as described above), and so on.Thus, the user can create metrics that are specific to the user'snetworks, enabling the metrics to be updated and configurable accordingto needs of the user.

Once a custom metric has been created, for instance the aspects that areto be utilized in determining the metric have been indicated, the usercan further describe how the metric is to be incorporated in determiningrisk values. For example, a first created metric can be of minorimportance to a user, and the user can specify a weighting associatedwith the metric when determining an overall value associated with acompromise value or compromise likelihood (e.g., combining values ofmetrics to determine an overall value associated with a compromise valueor compromise likelihood, also called a compromise vulnerability, isdescribed above with reference to FIGS. 12A-12B). In contrast, a secondcreated metric can be of greater importance to the user, and the usercan cause a compromise likelihood or compromise value to be higher basedon the value of the created metric. Assigning a weighting to eachmetric, or modifying a weighting of a metric, is described below withrespect to FIG. 26.

The custom metric can be applied to the networks, and a number, orpercentage, of user accounts or network devices can be identified thatare affected by the metric. For instance, in the above-described exampleof a metric associated with network devices that are (1) enabled and (2)executing a particular operating system, the system can apply the metricto the networks and identify a number, or percentage, of network devicesthat satisfy the two conditions. As will be described below, and asillustrated in FIG. 27, one or more user interface can be generated thatenable a user to monitor the metric over time. That is, a number ofnetwork devices that conform to the metric (e.g., satisfy the twoconditions) can be included such that a user can monitor the metric, anddetermine whether any progress to reduce the number of affected networkdevices is working (e.g., the user can create an investment as describedabove with respect to, at least, FIG. 14-15).

In some implementations, a metric (e.g., a custom metric) can be used tomonitor particular aspects of user accounts and/or network devices, butnot be incorporated in determining risk values (e.g., determiningcompromise value or compromise likelihood). For instance, a user can beinterested in monitoring a count, or percentage, of network devicesand/or user accounts that are affected by a metric, and also indicatethat the metric is not to be utilized in determining risk values. Inthis way, the user can monitor the metric (e.g., identify a number ofnetwork devices that are (1) enabled and (2) executing a particularoperating system), but not include the metric when determining riskvalues (e.g., the user may be capturing risk in a different wayutilizing different metrics, and just be interested in the count orpercentage).

FIG. 25A illustrates an example user interface 2500 for creating ametric to be applied to user accounts or network devices associated withone or more networks. As described above, a user (e.g., a securityofficer) can specify information associated with a new metric, such thatthe user can measure information relevant to the user's networks.

The user interface 2500 includes an indication of the “metric type”2502, which as illustrated specifies whether the metric is associatedwith a user account or a network device. As described above, andspecifically with reference to FIGS. 12A-12B, the system can determinerisk values of user accounts and network devices using multitudes ofmetrics, with each metric being applicable to either user accounts ornetwork devices. Therefore, when creating the new metric, the user canindicate whether the metric is measuring aspects of a user account ornetwork device.

A user can specify a “display value” 2504 associated with the createdmetric. The “display value” 2504 can be modified to either display acount (e.g., a number of user accounts or network devices that satisfythe aspects indicated by the metric), or a percentage (e.g., a number ofuser accounts or network devices out of a total, which satisfy theaspects indicated by the metric). In this way, upon selection of thecreated metric, after being applied to the networks, the count orpercentage can be presented (e.g., an example presentation is includedas FIG. 27). A user can monitor the count or percentage over time, andcan take actions to lower the count or percentage (e.g., create aninvestment as described above). As an example, FIG. 15 illustrates agraph 1508 that includes a count associated with a metric (e.g., summaryinformation describing a number of privileged users). Alternatively,when creating a metric associated with privileged users, a user canindicate that the “display value” 2504 is to be a percentage, and thegraph 1508 can instead illustrate a moving percentage of the number ofprivileged users (e.g., with respect to all users). The percentage can,as an example, be preferable if the reviewing user is interested inkeeping the relative number of privileged users to below a particularthreshold percentage, and is not necessarily interested in an absolutenumber of privileged users being below a threshold amount.

Using the user interface 2500, a user can provide a name 2506 and anassociated description 2508 of the metric being created. The name anddescription can be included in subsequent user interfaces, for instancein FIG. 9B, metrics are indicated and described in the user interface920 (e.g., description 924). Furthermore, the name can be utilized as areference, for instance in some implementations the name can be includedas an aspect when creating a new metric. As an example, a metricassociated with a user account being (1) privileged and (2) known toaccess network devices that execute a particular application, can belater referenced when creating a particular metric. A user can specifythat the particular metric is to include the aspects above (e.g., aspect(1) and (2)), along with an additional aspect, such as (3) a measureassociated with a time at which the user account last changed a password2514. In this way, a metric name can act as a quick shorthand whencreating new metrics.

When indicating aspects (e.g., “filters” as illustrated in FIG. 25A)associated with the metric being created, the user can select“denominator filters” 2510 (e.g., filters that describe aspects of apool of user accounts or network devices) and “numerator filters” 2512(e.g., filters that describe aspects of a set of user accounts ornetwork devices included in the pool). As illustrated, “denominatorfilters” 2510 for a metric type 2502 “user account,” include aspects ofuser accounts such as whether the user account is enabled, is anadministrator, when the user account last accessed the networks, and soon. In some implementations, indicating both “numerator filters” 2512and “denominator filters” 2510 is associated with a “display value” 2504being a percentage, and indicating solely “numerator filters” 2512 isassociated with a count. Optionally, the user interface 2500 can greyout, or otherwise make inaccessible, the “denominator filters” 2510option when the “display value” 2504 count is selected.

Each selected “denominator filter” 2510 or “numerator filter” 2512 isassociated with a type of value 2516. For example, a type of valueassociated with a user account being enabled, (e.g., “is Enabled” asillustrated) is a Boolean response of True or False. For other types offilters, for example “Password Last Set” 2514, a type of value 2516 canbe numerical (e.g., a number of days elapsed since a passwordre-setting), a calendar date (e.g., whether the password has been setsince a particular date, such as a date after which user accountinformation may have been compromised, for instance as described in FIG.13 due to an external event), and so on.

Each of the filters (e.g., filters included in the denominator filters2510 or filters included in the numerator filters 2512) can be appliedtogether in a Boolean operation when the metric is utilized (e.g.,applied to information associated with a user account or network device,such as configuration information, user profile information, useraccount access information, network topology information, and so on).That is, the created metric can have an associated value and effect on arisk value of a user account or network device, if each of the filtersare satisfied. As an example of the created metric being applied to aparticular user account, if “Is Enabled” is True, “Is AD Admin” (e.g.,Active Directory Administrator) is True, and a “Last Logon” 2515 of theparticular user account is “within the last 30 days” 2518, then thecreated metric can have an effect on a risk of the particular useraccount.

Once the metric being created is described using user interface 2500,the user can save 2519 the metric for use in determining a compromisevalue or compromise likelihood of a user account or network device(e.g., indicated by the metric type 2502, which in the example of FIG.25A is a user account).

Additionally, as will be described, the user can specify how the createdmetric is to be utilized when determining a compromise value, orcompromise likelihood, of a user account or network device. Forinstance, an effect of the created metric can be increased (e.g., aneffect the metric has on a compromise value or compromise likelihood)depending on a distance from values of one or more of the filters. Forexample, a particular filter may be associated with a time a password ofa user account was last set, and a value may be indicated as beinglonger than the last 30 days. A value of the metric for individual useraccounts can be increased depending on a length of time, beyond 30 days,since the user accounts last had a password change (e.g., a user accountwith a password change 120 days earlier can have a higher value of themetric, such as a proportionally higher value or non-linear highervalue, than a user account with a password change 31 days earlier).

FIG. 25B illustrates an example user interface 2520 for creating ametric associated with a network device. As described above, a user ofthe user interface (e.g., user interface 2500 or 2520) can indicatewhether a metric being created is associated with a user account or anetwork device (e.g., specified by selecting a metric type 2502). In theexample user interface 2520, the user has selected “system” 2522 (e.g.,a network device).

In response to the selection of “system” 2522, the user interface 2520presents filters 2524 (e.g., aspects) that are associated with a networkdevice. For instance, the user can select aspects that are specific to anetwork device, such as “Has Application Data,” and the user can specifyinformation describing particular application data as a value. Forinstance, upon selection of “Has Application Data,” the user interface2520 can update with selectable options associated with types ofapplication data (e.g., data associated with particular applications).In contrast, the filters 2510 presented in FIG. 25A are associated witha user account being selected (e.g., the metric type 2502 is set as“user” in FIG. 25A).

FIG. 25C-25D illustrate an example of creating a metric. As illustrated,a user has selected a metric type 2532 associated with a network device(e.g., the user has selected “system”). To describe the metric, the userhas provided textual data identifying a name of the metric (e.g.,“Server OS”), and a description (e.g., “Percentage of systems executinga server operating system that are enabled”).

In accordance with the name and description, the user has indicatedaspects associated with a group of network devices related to themetric. That is, the user has specified that “Denominator Filters” 2534(e.g., as described above) are to include an operating system type withvalues of “Is” and “Server OS.” In this way, the user can limit thetotal pool of network devices to the specific group of network devicesto which the metric relates (e.g., the user has limited the networkdevices to network devices that execute a server operating system). FIG.25D illustrates the user interface 2530 upon selection of “NumeratorFilters” 2534. As described above, the metric is being created as ameasure associated with network devices that are enabled and areexecuting a server operating system. Therefore, the user has indicatedthat “Numerator Filters” 2534 specify that network devices are (1) to beenabled and (2) execute a server operating system.

As described above, with reference to FIGS. 12A-12B, a network deviceexecuting a server operating system can be associated with an increasedcompromise value. The metric being created further indicates that thenetwork devices are to be enabled, which in some implementations can beassociated with the network devices being able to presently access thenetworks, which can further increase a compromise value. As will bedescribed in FIG. 26, the user can specify a weighting associated withthe created metric when the system determines compromise values ofnetwork devices. Upon applying the created metric, a user canadditionally view summary information describing a percentage of networkdevices that satisfy the “Numerator Filters” 2534 (e.g., are enabled,and execute a server operating system), and can monitor the percentageover time (e.g. an example user interface for monitoring a metric isillustrated in FIG. 27).

FIG. 26 illustrates an example process 2600 for creating a metricmeasuring aspects of a compromise value or compromise likelihood, andapplying the created metric. For convenience, the process 2600 will bedescribed as being performed by a system of one or more computers (e.g.,the risk assessment system 100).

The system receives user input specifying a type of metric andidentification information (block 2602). As described above, and asillustrated in FIGS. 25A-25D, the system can present a user interfacefor presentation that enables a user to create (e.g., describeinformation sufficient to create) a metric. As described above (e.g.,FIGS. 12A-12B, and so on), metrics can be associated with user accounts,network devices, and optionally both user accounts and network devicesin particular implementations. The user can create a metric (e.g., acustom metric), and specify a type of the metric by interacting with theuser interface to select whether the metric is associated with a useraccount or network device. Furthermore, the user can include a name(e.g., a succinct name explaining the metric, which can be used as areference when creating other metrics as described in FIG. 25A), andtextual information describing the metric.

The system receives selections of one or more filters indicating aspectsof user accounts or network devices to be used in determining the metric(block 2604). As illustrated in FIGS. 25A-D, the user can specifyfilters associated with the metric, with each filter indicating anaspect associated with a user account or network device, and indicatinga value that satisfies the filter. When the system applies the createdmetric, the system can access information associated with user accountsor network devices (e.g., configuration information, informationdescribing a network topology, user account information such as useraccount access information, profile information, and so on), anddetermine whether values associated with the selected filters aresatisfied (e.g., the values comport with aspects of a network device oruser account). That is, the system can determine, for instance for aparticular user account, whether a value associated with a selectedfilter is satisfied (e.g., a value can be ‘less than 30 days’, aselected filter can indicate a time of a last logon of a user account,and the value can be satisfied if information associated with theparticular user account indicates that a last logon of the particularuser account was less than 30 days prior).

The system receives, or determines, information associated with aneffect of the metric when determining a compromise value or compromiselikelihood (block 2606). As illustrated in FIG. 9A, compromise valuesand compromise likelihoods can be determined for user accounts and/ornetwork devices. Since, as described above, each compromise value andcompromise likelihood is determined from a multitude of metrics, one ormore of the metrics can be associated with a respective effect whendetermining the compromise value or compromise likelihood.

An effect of a metric, in this specification, includes any information,such as a weighting, that is applied to a value associated with themetric when determining a compromise value or compromise likelihood of auser account or network device. A user, after creating a metric, canindicate whether the metric is to be applied to determining a compromisevalue or compromise likelihood, and can further indicate a method ofcomputing an effect of the metric.

For example, the user can specify a weighting of the metric (e.g., aconstant value associated with the metric), to be utilized whendetermining a compromise value or compromise likelihood. The weightingcan be applied, along with other weightings of other metrics, todetermine an overall value of a compromise value or compromiselikelihood (e.g., each weighting can be applied to a respective value ofa metric, and then summed). As described above, particular metrics canbe Boolean in nature (e.g., whether a user account is an administrator),while other metrics can be associated with numerical values (e.g., atime since a password of a user account was last changed). Whenindicating a method of computing an effect of the metric, the user canspecify whether, in the case of a metric being associated with numericalvalues, an effect of the metric is to increase based on an increaseassociated with a numerical value.

For example, a metric can have an effect (e.g., on a compromiselikelihood) upon determining that a password of a user account was lastchanged greater than a threshold amount of time prior (e.g., 30 daysprior). In determining a compromise likelihood of a particular useraccount, the system can determine a value associated with the examplemetric, which can be based on a distance of a measured aspect of theparticular user account (e.g., a time associated with a most recentpassword change) from the threshold amount of time. For instance, if theparticular user account changed his/her password 60 days prior, thevalue of the example metric can be proportional to the difference fromthe threshold (e.g., 30 days prior). In this way, the system canincrease a compromise likelihood of the particular user account, sincethe particular user account will have had proportionally more time forhis/her password to be compromised (e.g., skimmed). Optionally, thevalue can be modified differently than proportionally, and can includeany arbitrary function (e.g., a square root of the value, logarithm ofthe value, and so on, such as a square root of 60 days minus thethreshold of 30 days).

In this way, a user can specify methods of each metric being determined,and subsequently utilized to determine a compromise likelihood orcompromise value of a user account or network device. Different networksmay call for different methods, for instance a user of a first networkmay be more interested in weighting network devices based on a number ofvulnerable applications they run (e.g., exploitable applications, forinstance as indicated by the common vulnerability scoring system(CVSS)), than weighting network devices based on a maximum severityscore of any one application they run (e.g., a maximum score of any ofthe exploitable applications as indicated by CVSS). Therefore, a user(e.g., a security officer) can fine-tune methods associated withdetermining compromise values and/or compromise likelihoods based onneeds associated with the user's networks.

FIG. 27 illustrates an example user interface 2700 for monitoring ametric. As described above, metrics can be created and monitored todetermine whether any investments (e.g., as described above) to reducean effect associated with the metric are working (e.g., reducing anumber of network devices or user accounts affected by the metric). Userinterface 2700 includes indications of metrics 2702 being applied to oneor more networks, along with summary information associated with eachmetric. For instance, as illustrated the summary information includes atotal number of network devices or user accounts that are affected bythe metric (e.g., network devices or user accounts associated withaspects that satisfy the metric), and for one or more of the metrics, achange in the number since a prior time period (e.g., a user selectabletime period, such as a day, a week, a month, and so on). For example,user interface 2700 indicates that a metric measuring “Enableadministrator accounts,” is associated with “53” user accounts (e.g., 53administrator accounts) and the number of user accounts has been reducedby “1” since the prior time period. The indication of metrics can beorganized, for instance as illustrated organized according to metricsthat have been most changed (e.g., a largest percentage reduction orincrease). The order can further be user-selectable, and can be based oninvestment information associated with the metrics (e.g., investmentsassociated with a longest amount of time, or associated with a highestcost to complete, can be ordered near the top of the user interface2700).

User interface 2700 illustrates information associated with a particularmetric (e.g., a metric selected by a user of the user interface 2700),“Active Systems in AD But Not SCCM” 2704. That is, the particular metric2704 is associated with network devices that are (1) Active (e.g.,enabled as described above), (2) in Active Directory, and (3) Not inSystem Center Configuration Manager. A number of network devices thatare affected by the metric are indicated (e.g., “15”), along with anindication of an increase in the number (e.g., “4”). In someimplementations, the user can specify a number, or percentage, ofnetwork devices affected by the particular metric 2704 that isacceptable. The system (e.g., the risk assessment system 100) can thenidentify whether the presented number in the user interface 2700 isacceptable, and optionally whether the number is good, mediocre, poor,and so on. For instance, the system can provide descriptive text (e.g.,adjacent to the number), or the number can be presented in a particularcolor depending on its value (e.g., an acceptable number can be green, amediocre number can be yellow or orange, and a poor number can be red),or a particular pattern (e.g., cross-hatched, dotted, lined, shaded, andso on).

A graphical illustration 2708 of the number of network devices affectedby the metric is included, which can be plotted against user selectabletime periods 2710. For instance, a user selectable time period caninclude a working week, a particular day, a month, a calendar year, atime since an investment associated with reducing an effect of themetric was instituted, and so on. The user interface 2700 furtherincludes indications of network devices 2712 that are affected by themetric (e.g., Systems 1-5). In some implementations, each indication ofa network device 2712 can be selectable, and upon selection, the userinterface 2700 can be updated to specify information associated with theselected network device. For instance, the information can includeconfiguration information of the selected network device, user accountaccess information (e.g., user accounts that have accessed the networkdevice, which can be similarly selectable, logons to the network device,and so on), network topology information (e.g., network systems incommunication paths, or that have actually communicated with, theselected network device), and so on.

Network Risk Map

As described above, and illustrated in, at least, FIGS. 18-19, thesystem (e.g., risk assessment system 100) can determine risk values foruser accounts and/or network devices associated with one or morenetworks. Each risk value is a combination of a compromise value (e.g.,also called an importance herein), which is determined from one or moremetrics measuring aspects of the compromise value, and a compromiselikelihood, which is determined from one or more metrics measuringaspects of the compromise likelihood. The system can generate, or causegeneration of, one or more user interfaces describing risk values ofuser accounts and/or network devices, which in this specification isdescribed as a network risk map. An example network risk map isdescribed below, and illustrated in FIG. 28A.

The network risk map can be utilized to view an overview of riskassociated with the networks, and can further be used to quicklynavigate amongst specific metrics to gain insights into particulars ofrisk associated with the networks. For instance, a user can determinethat a particular metric is affecting the networks (e.g., increasingrisk values), and view a user interface describing the metric over atime period (e.g., as described in FIG. 27).

The user can further refine and filter information included in thenetwork risk map, for example by constraining particular network devicesthat are included in the network risk map according to particularconfiguration information. For instance, the user can request that onlynetwork devices executing a particular operating system, or particularsoftware, or that store particular types of data, or that are connectedwith (e.g., determined from a network topology of the networks) networkdevices that satisfy one or more constraints, and so on, are to beincluded. As an example, the moment an exploit becomes known (e.g., azero-day), a user can view the network risk map and filter, refine, thenetwork risk map to present only network devices that are affected bythe exploit. The user can then quickly focus on network devices withassociated compromise values greater than a threshold.

Information associated with network risk maps can be shared with otherusers associated with other networks, such that a particular networkrisk map can be applied to other networks. As will be described,information associated with a network risk map can include filters andrefinements applied to network devices and user accounts, particularmetrics utilized in determining risk values of networks devices and useraccounts, particular weights applied to values of metrics in determiningcompromise value and compromise likelihood, and so on. In this way, auser can receive information associated with a network risk map, applythe network risk map to the user's networks, and view risk values of theuser's own network devices and/or user accounts according to the networkrisk map. In the above example of an exploit becoming known, thereceived network risk map can focus the user's attention on networkdevices and/or user accounts that are to be watched for compromise.Thus, network risk maps can be shared, reducing an effectiveness of anexploit being utilized by attackers as users (e.g., security officers)can rapidly gain knowledge of which network devices and/or user accountsare to be watched, locked down, modified, and so on. In someimplementations, the system (e.g., risk assessment system 100) candetermine similarities between networks (e.g., networks controlled,maintained, by different companies), and can automatically share networkrisk maps to users of particular networks that have been utilized byusers of one or more other networks. For example, if a particularnetwork was compromised and a user associated with the particularnetwork (e.g., a security officer) utilized a particular network riskmap (e.g., particular filters, weights of metrics, and so on) todetermine a method of attack or network devices or user accountsutilized in the attack, the particular network risk map can be sharedwith users of other networks that are similar to the particular network.Since an attack on multiple networks may follow a same pattern, orutilize a same method of attack, the users receiving the shared networkrisk map can more effectively block a similar attack.

FIG. 28A illustrates an example user interface 2800 for presenting anetwork risk map 2802. As described above, the network risk map 2802specifies risk values associated with network devices or user accounts(e.g., a user of the user interface 2800 can select between networkdevices or user accounts utilizing user interface elements 2804). Userinterface 2800 includes risk values associated with user accounts (e.g.,user interface element 2804 associated with user accounts has beenselected), which are grouped according to one or more distancefunctions. For instance, user accounts with similar risk (e.g., similarlocations in the network risk map, determined from a combination ofcompromise likelihood and compromise value) can be grouped together,with a size of a circle, or optionally arbitrary polygonal shape, sizedaccording to a number of user accounts that have been grouped together.The system can determine a measure of central tendency of risk valuesfor the user accounts grouped together, and position the circle at themeasure of central tendency of risk value, with a radius of the circledetermined, as described above, according to a number of user accounts.Alternatively, the circle can be sized according to a variance of riskvalues of the grouped user accounts (e.g., a variance from the measureof central tendency). The system can further group user accountsaccording an employee role of the user accounts, a location from whichthe user account works, and other arbitrary groupings a user of the userinterface 2800 can define. Measures of central tendency of risk valuesof user accounts in each grouping can then be determined, which isdescribed above with respect to FIG. 18.

The network risk map 2802 specifies risk values of user accounts as acombination of compromise value and compromise likelihood (e.g., asdescribed above), allowing a user of the user interface 2800 to quicklyascertain overall risk of a network. The user interface 2800 can bepresented, for instance, upon a user viewing user interface 2700, andinteracting with user interface element 2806. That is, the user can viewspecifics of metrics, and also view an overall network risk map 2802 inwhich the specific metrics are utilized to determine risk.

The user interface 2800 includes a zoom control 2808, which a user caninteract with to zoom in and out of the network risk map 2802. Forinstance, the user can zoom in on a portion of the network risk map2802, which can cause the user accounts grouped in circles to separateas the distance between risk values increases. In this way, the user canview detailed information that would otherwise be unavailable (e.g.,hidden in the network risk map 2802). Similarly, in some implementationsthe user can pinch-to-zoom on a portion of the network risk map 2802using a touch sensitive screen of a user device. Each grouping of useraccounts and/or network device can be colored, or patterned, accordingto risk values. For instance, colors can include green, orange, yellow,red, and so on. Additionally, a pattern can include lines,cross-hatches, dots, shadings, and so on.

A time slider 2810, or other user interface element to modify a timeperiod, is included in the user interface 2800 that specifies a timeperiod from which risk values are determined. For instance, asillustrated in user interface 2800, the time slider 2810 is positionedon “March 31,” indicating that risk values have been determined (e.g.,by the system) using information from “March 31.” That is, the timeslider 2810 provides a snapshot of determined risk values from “March31”. The time slider 2810 can be moved, showing the network risk map atdifferent time periods and providing an easy to understand window intorisk as a function of time. As described above, as time is changed(e.g., due to movement of the time slider 2810), an animation can bepresented illustrating changes in risk values of one or more useraccounts and/or network devices. For instance, a line connecting a useraccount's position in the network risk map at a starting date and anending date can be presented. In this way, the user can track particularuser accounts and/or network devices (e.g., user accounts and/or networkdevices that have the greatest change in risk value) across differenttime periods.

The network risk map 2802 can be filtered, refined, according to asearch user interface element 2812. The system can filter the networkrisk map 2802 to include only user accounts, or network devices, thatconform to the input filter(s) and refinements. A user can filter thepresented user accounts, or network devices, according to describableproperties of the user accounts, such as name (e.g., portion of name),identifier, employee role associated with user accounts, employeedepartment (e.g., system administrators, legal team, officers), and soon. Similarly, the user can filter the presented user accounts, ornetwork devices, according to other aspects utilized in determining riskvalues (e.g., aspects associated with metrics as described above). Forinstance, the user can utilize the search 2812 to filter user accountsaccording to a password complexity, a most recent logon time, a timefrom which a password was changed, group membership information, networkdevices accessed, and so on. In some implementations the user canprovide natural language search queries, which the system can receiveand parse to determine filters to be applied to the network risk map2802. For example, a user can specify that the user is to view useraccounts that have logged on in the past 5 days, have particular groupmemberships, and have accessed a particular web page in the past 5 days.The system can determine aspects indicated in the natural languagesearch query, and apply the aspects to the network risk map 2802. Forexample, the user can filter a network risk map according to networkdevices accessed by a particular user account, or user accountstransition to from the particular user account, to determine an effectthat a compromise of the particular user account would have on thenetwork. The user can further manipulate the time slider to specify oneor more times at which the filters are to be applied, or can incorporatean indication of a time, or time period (e.g., within a prior workingweek), into a search query.

Similar to the above, the search user interface 2812 can further receiveinformation associated with specific metrics being utilized to determinerisk values, and refine the network risk map 2802 based on theinformation. For instance, the user can specify that only user accounts,or network devices, that are affected by particular metrics are to beincluded in the network risk map 2802. Similarly, the user can specifyvalues thresholds associated with metrics (e.g., as described above withrespect to FIGS. 12A-12B, metrics can be associated with numericalvalues and determined for each user account or network device), and onlyuser accounts or network devices associated with the value thresholdscan be presented. In this way, the user can specify a threshold value ofa metric associated with measuring a number of exploitable applicationson each network device, and network devices with a value of the metric(e.g., a number of exploitable applications) greater than the thresholdcan be included in the network risk map 2802. In some implementations, aweight applied to particular metrics can be modified using the searchuser interface 2812. For instance, the user can specify that a weightassociated with a metric measuring a maximum severity score of anyapplication (e.g., highest common vulnerability scoring system score)executing on a network device is to be increased (e.g., increased from 5to 15). The system can then determine risk values utilizing the updatedweight, and present the modified risk values in the network risk map2802. In some implementations, the modified weight can be appliedpermanently (e.g., until a subsequent change), or until the usernavigates away from the user interface 2800 or selects a user interfaceelement to clear the modified weight.

FIG. 28B illustrates a second example user interface 2800 for presentinga network risk map 2802. As illustrated, a user of the user interface2800 has interacted with the time slider 2810 to specify that riskvalues are to be determined from March 11^(th). The system therefore hasaccessed maintained information specifying risk values, or determinedrisk values, that are associated with March 11^(th).

A particular user account 2814 is presented in the user interface 2800that is associated with a high compromise value and a high compromiselikelihood (e.g., “User Account 1”). In the user interface 2800described in FIG. 28A (e.g., associated with March 31), the particularuser account 2814 was not indicated as having a high compromise valueand a high compromise likelihood—indeed no user account was. Throughinteractions with the time slider 2810 (e.g., or other specification ofa time change), a user of the user of the network risk map can determinechanges in risk, and for instance, can determine that a change madeafter March 11^(th) that is associated with the particular user account2814 has worked to lower a risk value of the user account 2814. Forexample, as will be described in FIG. 28C, particular metrics thatcaused a high compromise value and compromise likelihood are displayed,enabling the user to determine remedial actions to take to lower therisk value of the particular user account 2814 (e.g., create aninvestment).

In some implementations the network risk map 2802 can be rotated aboutan axis, and modified to present information specific to a selected useraccount (e.g., particular user account 2814). For instance, a userdevice presenting the network risk map 2802 can have one or more sensors(e.g., accelerometers) that can determine a rotation about an axis(e.g., a user can rotate the user device left or right, such as arotation about the yaw-axis, y-axis, and so on). Upon rotation, the userinterface 2800 can update to include risk values of the particular useraccount 2814 over time. For instance, a graph can be included that plotsrisk value of the particular user account as a function of time.

Additionally, upon rotation the user interface 2800 can update toinclude a chart (e.g., a bar graph) illustrating which metrics causedthe particular user account's 2814 risk value to be high. For instance,a rectangle can be presented that extends from a lower portion 2816 ofthe network risk map 2802 to a location of the circle associated withthe particular user account 2814, with portions of the rectangle sizedaccording to an effect of metrics associated with determining compromiselikelihood. Similarly, a rectangle can be presented that extends from aleft portion 2818 of the network risk map 2802 to the location of thecircle associated with the particular user account 2814, with portionsof the rectangle sized according to an effect of metrics associated withdetermining compromise value. Each portion can include descriptive textidentifying an associated metric.

Furthermore, the user can indicate that the rectangle (e.g., bar graph)associated with either compromise value or compromise likelihood is tobe presented, and extended across a multitude of periods of time. Thatis, the makeup of either compromise value or compromise likelihood canbe presented as a function of time. In this way, the user can determinewhich metrics are affecting the user over time. For example, a bar graphassociated with compromise value can be extended as a function of time,and the user interface can present a multitude of bar graphs (e.g.,adjacent bar graphs) with differently sized portions according to valuesof particular metrics. Any investments made to metrics can be specifiedin the user interface, such that the user can determine whetherinvestments to reduce effects of metrics are working (e.g., an effect ofa metric should be reduced, that is a portion of the rectangle should besmaller, if an investment is working).

The above description included a user rotating a user device to viewinformation specific to a particular user account. In someimplementations, the described views can be presented upon interactionwith one or more selectable options, and can be presented on userdevices that do not include sensors to monitor rotations.

FIG. 28C illustrates an example user interface 2800 presenting summaryinformation 2820 associated with a particular user account 2814. Thesummary information 2820 includes indications of metrics that areaffecting the particular user account 2814. A user viewing userinterface 2800 can determine that metrics associated with the particularuser account's 2814 password are affecting risk, and provide informationto the particular user account to change his/her password. Additionally,the user can cause the password of the particular user account 2814 tono longer be valid, and force a password change.

FIG. 28D illustrates a second example user interface 2800 presentingsummary information 2824 associated with a user account 2822. The userinterface 2800 is presenting summary information 2824 associated with adifferent user account (e.g., “Admin Account 1”) 2822.

FIG. 28E illustrates a user interface 2830 for exporting informationassociated with user accounts. The user interface 2830 includes anetwork risk map 2832 presenting risk values of user accounts, howeverexporting information can function similarly for a network risk mappresenting risk values of network devices. A user of the user interface2830 can request that information included in the network risk map 2832be exported (e.g., for later presentation, such as offline presentation,for storage, and so on). The user can utilize a touch sensitive screenof a user device to generate a polygonal boundary 2834 the inside ofwhich specifies user accounts that are to be exported. For instance, theuser can identify a particular corner of the boundary 2834, and with oneor more other fingers draw the shape into existence. Similarly, the usercan utilize a mouse, or other input device, to specify the boundary2834.

The user accounts included in the boundary 2834 are then presented inthe user interface 2830, for instance in the portion 2836 (e.g., anidentifier of each user account along with a graphical depiction of arisk value, for instance based on a color or pattern as described inFIG. 28A). The user can then request that information associated witheach user account be exported (e.g., the user can interact with a userinterface element, or the exporting process can begin automatically).The information can be exported as a document (e.g., a comma separatevalue CSV document), that specifies details of each user account,including one or more of: values of metrics utilized in determining acompromise value, compromise risk, methods of computing an effect of themetrics, configuration information, user account access information, andother information that was utilized in determining a risk value, userprofile information specifying the user account, and so on.

Multiple Data Visualizations

As described above, methods of computing effects of metrics (e.g.,weights applied to metrics when determining compromise values and/orcompromise likelihoods) can be modified by a user, and the modificationscan be applied to generate updated network risk maps. Optionally,multiple network risk maps can be viewed at the same time, with eachnetwork risk map being associated with distinct methods of computing theeffects of metrics. For instance, a user can view two or more risk maps,and specify that each risk map is to have different weights applied tometrics. In this way, the user can quickly compare network risk maps to,for instance, determine a network risk map that most accuratelydescribes risk values, or provides risk values for different scenariosin which the user is interested. For example, the user may want tocompare the effects of distinct metrics on risk values, and canseparately increase particular metrics for respective network risk maps.The user can then, for instance, quickly view users' locations withinthe respective network risk maps. Optionally, the user can select a useraccount in a first network risk map, and the selection can be carried toone or more other displayed network risk maps (e.g., the user canspecify that selections of information included in particular networkrisk maps are to be shared with other network risk maps, so that theshared network risk maps can automatically select the same information).In this way, the user can select a user account or network device, andview information associated with the selected user account or networkdevice across one or more other network risk maps.

Sharing Network Risk Maps

As described above, information associated with network risk maps can beshared with users that maintain, or control, or secure, one or morenetworks, such that the users can apply the information to theirrespective networks. Information associated with networks includessearch information (e.g., search queries entered in the search userinterface element 2812 illustrated in FIG. 28A), methods of computingeffects of metrics (e.g., weights applied to metrics when determiningcompromise values and/or compromise likelihoods, and so on as describedin FIG. 26), and so on.

As an example described above, a user associated with a network candetermine that particular search information was the most useful foridentifying network devices that should be monitored (e.g., in responseto an attack by a malicious actor, or in response to an exploit beingreleased). The search information can indicate, for instance, thatnetwork devices which have the greatest quantities of a particular typeof data, and which execute a particular version of software (e.g.,OpenSSL), and which are accessed by administrator accounts, should bemonitored, disabled, modified (e.g., the version of the software shouldbe upgraded), and so on. In some implementations, the user can cause thedisabling, modification, using one or more user interfaces. That is,each network device can execute an agent that is in communication withthe system, and which can modify aspects of the network device (e.g.,disable or delete software, modify software, turn the network deviceoff, and so on).

A different user associated with a different network can receive (e.g.,automatically receive as described in FIG. 29) the particular searchinformation, and apply the search information to the different user'snetwork (e.g., a system, similar or same as the network risk assessmentsystem 100, can apply the search information). As described in FIGS.28A-28D, the search information can filter, or refine, a network riskmap associated with the different network, drawing focus towardsparticular network devices or user accounts. For example, the filtered,or refined, network risk map can particular network devices, and theuser can monitor one or more of the particular network devicesassociated with a high compromise value (e.g., greater than athreshold).

As described above, methods of computing effects of metrics can also beshared. For instance, a user can determine that a metric measuringparticular aspects of network devices should be weighted substantiallyhigher, and can modify the weighting. These modified methods can beprovided to other users to be applied to the users' respective networks,optionally in addition to search information being provided.

For example, a user can determine that a network device or user accountwas likely compromised by an attacker utilizing a particular combinationof factors. For instance, network devices compromised by an attacker mayall have executed a particular operating system, been accessible byadministrator accounts, and so on. In addition, the user can determinethat a threshold amount (e.g., a majority) of network devices wereexecuting a particular version of software, or the user can determinethat the network devices being compromised were in communication paths(e.g., determined using a network topology) with network devices thatstore a particular type of information (e.g., sensitive information,information associated with a particular software application, and soon). In this way, the user can determine that search information is toinclude network devices associated with the particular operating systemthat are accessible by administrator accounts. The user can then specifythat a weight of a metric associated with network devices executing theparticular version of software is to be increased, or a weightassociated with network devices in communication paths with networkdevices that store the particular type of information is to beincreased. In this way, the user can filter network devices based onwhat the user has seen on the user's network, and can increase acompromise likelihood and/or a compromise value based on metrics thatthe user has seen, or suspects, may need to be increased.

The system can, in some implementations, determine search informationand/or methods of computing effects of metrics based on obtained exploitinformation (e.g., the system can determine search informationassociated with the exploit, such as a type of affected softwareapplication and so on, as described above in FIG. 13). Additionally,subsequent to a compromise of a network, the system can determinecommonalities of aspects of user accounts or network devices that areassociated with user accounts or network devices actually compromised.In this way, the system can determine that particular aspects are to beincluded in search information (e.g., such that network risk maps solelyfocus on the aspects), while weights associated with particular metricsare to be increased (e.g., such that network risk maps place an addedemphasis of the metrics).

Sharing information associated with a network risk map can be madeautomatic (e.g., users can automatically receive information associatedwith network risk maps from other networks). The shared information canbe triggered according to external events (e.g., described above), orcan be triggered periodically based on time. Additionally, users cansubscribe to updates from other users (e.g., select users), for instanceusers that maintain similar networks (e.g., similarly created, areassociated with a similar business, and so on). The system can triggerupdates to shared information and provide the time-sensitive informationto be applied to other networks (e.g., the system can activate a systemthat determines risk values of user accounts and/or network devices foreach network). In some implementations, a user of a network can logon,and immediately view one or more network risk maps of the user'snetworks, with a particular (or more) network risk map being associatedwith information received from a different user of a different network(e.g., any updates the different user made can be automatically providedto the user and applied).

FIG. 29 illustrates an example process 2900 for sharing informationassociated with a network risk map. For convenience, the process 2900will be described as being performed by a system of one or morecomputers (e.g., the risk assessment system 100).

The system receives information associated with a network risk mapapplied to an initial network (block 2902). As described above, a user,or the system, can determine information associated with a network riskmap that best identifies network devices and/or user accounts that areto be monitored after a particular event, such as an exploit being madepublic or otherwise available, or an attack having occurred on theuser's networks.

The system determines one or more other networks that are similar to theinitial network (block 2904). In response to an exploit being released,or an attack occurring on the initial network, other networks canpreferably take proactive measures to guard their networks against theexploit being utilized, or a similar attack occurring on their networks.Networks that are similar to the initial network can benefit frominformation associated with the network risk map, such that users (e.g.,security officers) associated with the other networks can quickly applythe information, and view respective network risk maps geared towardsmonitoring network devices and/or user accounts that may be compromised.

The system can measure similarity between networks according to valuesof common metrics utilized in determining risk values. For instance, thesystem can compare values of metrics determined for the initial network,with values of the same metrics determined for other networks. A measureof similarity can be increased between the initial network and othernetworks depending on a closeness and quantity of values of metrics.

Additionally, search information included in the information associatedwith the network risk map can be applied to other networks, and thesystem can determine whether network devices and/or user accountsfiltered according to the search information are greater than athreshold in number or percentage, and optionally are associated withcompromise values greater than a threshold. In this way, the system candetermine whether an exploit, or attack, can be applied to the othernetworks as applied to the initial network.

The system provides the information associated with the network risk mapto the determined networks (block 2906). As described above, the systemcan provide the information to other networks, enabling users of theother networks to monitor particular network devices and/or useraccounts (e.g., network devices and user accounts at an increased riskof attack). In this way, an effectiveness of an attack on a network canbe subsequently minimized once other networks are given the tools tomonitor network devices and/or user accounts that are involved in theattack. In some implementations, the information can be specified in adocument (e.g., an XML document, a CSV file) that includes searchinformation, information describing metrics, associated weights or othermethods of computing effects of the metrics, and so on).

Investments and Trend Information

As described above, with respect to, at least, FIG. 14, the system candetermine investments that will cause a greatest reduction in riskvalues, cause a greatest reduction in a variance of risk values (e.g.,lower risk values of the highest user accounts and/or network devices).The system can simulate which metrics are to be associated withinvestments to reduce risk values, and can present recommendations tothe user. For instance, the system can determine an area under a curvesketched out by network devices or user accounts in a network risk map,and simulate which metrics can be reduced which would have a greatestreduction in the area (e.g., the area can represent an overall riskassociated with the networks). In some implementations, the system canmodify a reduction in the area according to a cost associated withimplementing the reduction (e.g., a cost associated with one or more of,training employees, acquiring new software or systems, maintaining thesoftware or systems, creating new software or hardware, and so on). Forinstance, changing a particular metric can be associated with a greatestreduction, but also be associated with a greatest cost. The system cantherefore balance the reduction against the cost (e.g., a user canprovide the cost information), and determine a best metric to invest in.

The system can further determine trends associated with groups ofnetwork devices and/or user accounts, and present the trend informationto a user. For instance, the system can determine that when useraccounts are grouped according to an employee role, and specifically anemployee role for a particular office location, that a single group isunusually high, or has increased in risk value (e.g., measure of centraltendency of risk value determined from risk values of user accountsincluded in the single group) at greater than a threshold rate.

Services

The description above includes, for instance, methods and systemsutilized to determine risk values associated with user accounts and/ornetwork devices. In some implementations, the system (e.g., riskassessment system 100) can determine risk values associated withservices (e.g., software services). A service can include, for example,an online software service (e.g., software as a service application)that can be utilized to store arbitrary data related to work beingperformed by employees associated with user accounts. For instance,instead of storing data locally on a network device, a user can utilizea storage service that can maintain the data in cloud storage accessibleusing a user name/password, two factor authentication, and so on.

The system can determines metrics associated with compromise value andcompromise likelihood of each service being utilized, and include anoption to present risk values of services in one or more user interfaces(e.g., in the network risk map illustrated in FIGS. 28A-28D). As anexample, the system can monitor (e.g., using application and proxydata), quantities and types of information that are being provided to acloud storage service (e.g., the system can obtain information fromagents executing on network devices that monitors the information beingprovided to the service). The system can obtain information identifyinga value (e.g., importance) of particular types of data (e.g., based onmetrics associated with network devices storing the particular types ofdata), and can increase a compromise value of a service that storestypes of data known to be valuable. Additionally, the system candetermine network devices associated with a high compromise value, andmonitor services to which the determined network devices provideinformation). The system can infer that valuable network devices willalso provide valuable information for storage in the cloud services.

Furthermore, the system can determine a compromise likelihood of eachservice according to an ease at which the service can be compromised.For instance, services that require two-factor authentication can beassociated with a reduced compromise likelihood, and services thatrequire passwords to be changed periodically and/or require passwords tobe of a particular complexity, can also be associated with a reducedcompromise likelihood. Compromise likelihood can further be determinedfrom historical information describing a frequency at which useraccounts associated with a service are compromised.

Services can additionally be incorporated into metrics associated withuser accounts and/or network devices. For instance, a metric associatedwith measuring each user account's conformance to best practices can bemodified to include whether each user account is utilizing approvedservices. That is, the system can increase a value of the metric upondetermining that a user account provides information to a service thatis not approved for use (e.g., the system can obtain proxy data, orother network information, specifying that particular quantities of dataare being provided to unapproved services).

OTHER EMBODIMENTS

Each of the processes, methods, and algorithms described in thepreceding sections may be embodied in, and fully or partially automatedby, code modules executed by one or more computer systems or computerprocessors comprising computer hardware. The code modules (or “engines”)may be stored on any type of non-transitory computer-readable medium orcomputer storage device, such as hard drives, solid state memory,optical disc, and/or the like. The systems and modules may also betransmitted as generated data signals (for example, as part of a carrierwave or other analog or digital propagated signal) on a variety ofcomputer-readable transmission mediums, including wireless-based andwired/cable-based mediums, and may take a variety of forms (for example,as part of a single or multiplexed analog signal, or as multiplediscrete digital packets or frames). The processes and algorithms may beimplemented partially or wholly in application-specific circuitry. Theresults of the disclosed processes and process steps may be stored,persistently or otherwise, in any type of non-transitory computerstorage such as, for example, volatile or non-volatile storage.

In general, the terms “engine” and “module”, as used herein, refer tologic embodied in hardware or firmware, or to a collection of softwareinstructions, possibly having entry and exit points, written in aprogramming language, such as, for example, Java, Lua, C or C++. Asoftware module may be compiled and linked into an executable program,installed in a dynamic link library, or may be written in an interpretedprogramming language such as, for example, BASIC, Perl, or Python. Itwill be appreciated that software modules may be callable from othermodules or from themselves, and/or may be invoked in response todetected events or interrupts. Software modules configured for executionon computing devices may be provided on a computer readable medium, suchas a compact disc, digital video disc, flash drive, or any othertangible medium. Such software code may be stored, partially or fully,on a memory device of the executing computing device, such as the riskassessment system 100, for execution by the computing device. Softwareinstructions may be embedded in firmware, such as an EPROM. It will befurther appreciated that hardware modules may be comprised of connectedlogic units, such as gates and flip-flops, and/or may be comprised ofprogrammable units, such as programmable gate arrays or processors. Themodules described herein are preferably implemented as software modules,but may be represented in hardware or firmware. Generally, the modulesdescribed herein refer to logical modules that may be combined withother modules or divided into sub-modules despite their physicalorganization or storage.

The various features and processes described above may be usedindependently of one another, or may be combined in various ways. Allpossible combinations and subcombinations are intended to fall withinthe scope of this disclosure. In addition, certain method or processblocks may be omitted in some implementations. The methods and processesdescribed herein are also not limited to any particular sequence, andthe blocks or states relating thereto can be performed in othersequences that are appropriate. For example, described blocks or statesmay be performed in an order other than that specifically disclosed, ormultiple blocks or states may be combined in a single block or state.The example blocks or states may be performed in serial, in parallel, orin some other manner. Blocks or states may be added to or removed fromthe disclosed example embodiments. The example systems and componentsdescribed herein may be configured differently than described. Forexample, elements may be added to, removed from, or rearranged comparedto the disclosed example embodiments.

Conditional language used herein, such as, among others, “can,” “could,”“might,” “may,” “for example,” and the like, unless specifically statedotherwise, or otherwise understood within the context as used, isgenerally intended to convey that certain embodiments include, whileother embodiments do not include, certain features, elements and/orsteps. Thus, such conditional language is not generally intended toimply that features, elements and/or steps are in any way required forone or more embodiments or that one or more embodiments necessarilyinclude logic for deciding, with or without author input or prompting,whether these features, elements and/or steps are included or are to beperformed in any particular embodiment. The terms “comprising,”“including,” “having,” and the like are synonymous and are usedinclusively, in an open-ended fashion, and do not exclude additionalelements, features, acts, operations, and so forth. Also, the term “or”is used in its inclusive sense (and not in its exclusive sense) so thatwhen used, for example, to connect a list of elements, the term “or”means one, some, or all of the elements in the list. Conjunctivelanguage such as the phrase “at least one of X, Y and Z,” unlessspecifically stated otherwise, is otherwise understood with the contextas used in general to convey that an item, term, etc. may be either X, Yor Z. Thus, such conjunctive language is not generally intended to implythat certain embodiments require at least one of X, at least one of Yand at least one of Z to each be present.

While certain example embodiments have been described, these embodimentshave been presented by way of example only, and are not intended tolimit the scope of the disclosure. Thus, nothing in the foregoingdescription is intended to imply that any particular element, feature,characteristic, step, module, or block is necessary or indispensable.Indeed, the novel methods and systems described herein may be embodiedin a variety of other forms; furthermore, various omissions,substitutions, and changes in the form of the methods and systemsdescribed herein may be made without departing from the spirit of theinventions disclosed herein. The accompanying claims and theirequivalents are intended to cover such forms or modifications as wouldfall within the scope and spirit of certain of the inventions disclosedherein.

Any process descriptions, elements, or blocks in the flow diagramsdescribed herein and/or depicted in the attached figures should beunderstood as potentially representing modules, segments, or portions ofcode which include one or more executable instructions for implementingspecific logical functions or steps in the process. Alternateimplementations are included within the scope of the embodimentsdescribed herein in which elements or functions may be deleted, executedout of order from that shown or discussed, including substantiallyconcurrently or in reverse order, depending on the functionalityinvolved, as would be understood by those skilled in the art.

It should be emphasized that many variations and modifications may bemade to the above-described embodiments, the elements of which are to beunderstood as being among other acceptable examples. All suchmodifications and variations are intended to be included herein withinthe scope of this disclosure. The foregoing description details certainembodiments of the invention. It will be appreciated, however, that nomatter how detailed the foregoing appears in text, the invention can bepracticed in many ways. As is also stated above, it should be noted thatthe use of particular terminology when describing certain features oraspects of the invention should not be taken to imply that theterminology is being re-defined herein to be restricted to including anyspecific characteristics of the features or aspects of the inventionwith which that terminology is associated.

What is claimed is:
 1. A computerized method comprising: by a system ofone or more computer systems, accessing network device informationassociated with network devices of one or more networks; accessing useraccount information associated with user accounts of the one or morenetworks; determining, based on the accessed information and for eachnetwork device and/or user account: a compromise value indicating animportance an attacker would place on compromising the network deviceand/or user account, and a compromise vulnerability indicating alikelihood of compromise of the user account and/or network device; andcausing presentation of an interactive user interface, the interactiveuser interface including a network risk map indicating risks associatedwith the user accounts and/or network devices, wherein risk associatedwith a user account or a network device is based on respectivecompromise value and compromise vulnerability of the user account or thenetwork device, wherein the interactive user interface responds tosearch information which filters user accounts and/or network devices.2. The computerized method of claim 1, wherein the network risk mapcomprises a plurality of visual elements each representing one or moreuser accounts or one or more network devices, and wherein each visualelement is positioned in the network risk map according to compromisevalues and compromise likelihoods of user accounts or network devicesrepresented by the visual element.
 3. The computerized method of claim1, wherein each visual element is adjusted based on associated risk. 4.The computerized method of claim 3, wherein adjusting a visualrepresentation according risk comprises: selecting a color of aplurality of colors based on the risk; and causing presentation, via theinteractive user interface, of the visual element presented according tothe selected color.
 5. The computerized method of claim 1, wherein eachvisual element represents user accounts or network devices that aregrouped according to the user accounts' or network devices' positions inthe network risk map.
 6. The computerized method of claim 1, wherein thecompromise value is based on a plurality of value metrics, and whereinthe compromise vulnerability is based on a plurality of vulnerabilitymetrics.
 7. The computerized method of claim 6, wherein the network riskmap is configured to update via adjustment of an effect associated withat least one of the value metrics or vulnerability metrics, such that atleast one of the visual elements is adjusted in position.
 8. Acomputerized method comprising: by a system of one or more computersystems accessing network device information associated with networkdevices of one or more networks, and/or accessing user accountinformation associated with user accounts of the networks; and causingpresentation of an interactive user interface, wherein the interactiveuser interface: presents a network risk map indicating risks associatedwith user accounts and/or network devices of the networks, the networkrisk map comprising: a plurality of visual elements, each visual elementrepresenting one or more user accounts or one or more network devices,and each visual element being positioned in the network risk mapaccording to a compromise value determined for the visual element and acompromise vulnerability determined for the visual element, wherein thecompromise value indicates an importance an attacker would place oncompromising the one or more user accounts or one or more networkdevices represented by the particular visual element, and wherein thecompromise vulnerability indicates a likelihood of compromise of the oneor more user accounts or one or more network devices represented by theparticular visual element; and responds to search information receivedvia presented search user interface elements, wherein in response toreceived search information, the interactive user interface: filtersuser accounts and/or network devices according to information specifiedin the search information and updates the network risk map based on thefiltering, or modifies the network risk map according to modificationsassociated with determining compromise values and/or compromisevulnerabilities.
 9. The computerized method of claim 8, wherein thenetwork device information indicates one or more of configurationinformation of network devices or a network topology indicatingcommunication paths between network devices determined using, at least,monitored network traffic between the network devices, and wherein useraccount information indicates one or more of user access rights ofrespective user accounts, profile information of respective useraccounts, user account rules enforced on the networks, or networkactions associated with the user accounts.
 10. The computerized methodof claim 8, wherein a compromise value and/or compromise vulnerabilitydetermined for each visual element is based on compromise values and/orcompromise vulnerabilities determined for network devices or useraccounts represented by the visual element.
 11. The computerized methodof claim 8, wherein the compromise value determined for each visualelement is based on one or more value metrics, and wherein thecompromise value for each visual element is based on one or morevulnerability metrics.
 12. The computerized method of claim 11, whereinmodifying the network risk map comprises one or more of: removingeffects of particular value metrics and/or vulnerability metrics fromcompromise values and/or compromise vulnerabilities determined for thevisual elements, or including effects of particular value metrics and/orvulnerability metrics in compromise values and/or compromisevulnerabilities determined for the visual elements, or modifying weightsassociated with vulnerability metrics and/or value metrics utilized indetermining compromise values and/or compromise vulnerabilitiesdetermined for the visual elements.
 13. The computerized method of claim11, wherein responding to input associated with a particular visualelement comprises: causing determination of one or more value metricsand/or one or more vulnerability metrics that are affecting thecompromise value and/or compromise vulnerability determined for theparticular visual element; and presenting summary information associatedwith the particular visual element, the summary information specifyingvalue metrics and/or vulnerability metrics associated with greater thana threshold effect.
 14. The computerized method of claim 8, wherein eachvisual element represents user accounts or network devices that aregrouped according to the user accounts' or network devices' positions inthe network risk map.
 15. The computerized method of claim 8, whereinthe interactive user interface further: presents a time slider enablingselection of a time period associated with determining compromise valuesand compromise vulnerabilities, wherein the interactive user interfaceupdates the network risk map based on a selected time period, therebypresenting increases or decreases in compromise value and compromisevulnerability according to time period.
 16. Non-transitory computerstorage media storing instructions that when executed by a system of oneor more computers, cause the computers to perform operations comprising:causing presentation of an interactive user interface, the interactiveuser interface causing access to network device information associatedwith network devices of one or more networks, and/or causing access touser account information associated with user accounts of the networks,wherein the interactive user interface: presents a network risk mapindicating risks associated with user accounts and/or network devices ofthe networks, the network risk map comprising: a plurality of visualelements, each visual element representing one or more user accounts orone or more network devices, and each visual element being positioned inthe network risk map according to a compromise value determined for thevisual element and a compromise vulnerability determined for the visualelement, wherein the compromise value indicates an importance anattacker would place on compromising the one or more user accounts orone or more network devices represented by the particular visualelement, and wherein the compromise vulnerability indicates a likelihoodof compromise of the one or more user accounts or one or more networkdevices represented by the particular visual element; and responds tosearch information received via presented search user interfaceelements, wherein in response to received search information, theinteractive user interface: filters user accounts and/or network devicesaccording to information specified in the search information and updatesthe network risk map based on the filtering, or modifies the networkrisk map according to modifications associated with determiningcompromise values and/or compromise vulnerabilities.
 17. Thenon-transitory computer storage media of claim 16, wherein the networkdevice information indicates one or more of configuration information ofnetwork devices or a network topology indicating communication pathsbetween network devices determined using, at least, monitored networktraffic between the network devices, and wherein user accountinformation indicates one or more of user access rights of respectiveuser accounts, profile information of respective user accounts, useraccount rules enforced on the networks, or network actions associatedwith the user accounts.
 18. The non-transitory computer storage media ofclaim 16, wherein a compromise value and/or compromise vulnerabilitydetermined for each visual element is based on compromise values and/orcompromise vulnerabilities determined for network devices or useraccounts represented by the visual element.
 19. The non-transitorycomputer storage media of claim 16, wherein the compromise valuedetermined for each visual element is based on one or more valuemetrics, and wherein the compromise value for each visual element isbased on one or more vulnerability metrics.
 20. The non-transitorycomputer storage media of claim 19, wherein modifying the network riskmap comprises one or more of: removing effects of particular valuemetrics and/or vulnerability metrics from compromise values and/orcompromise vulnerabilities determined for the visual elements, orincluding effects of particular value metrics and/or vulnerabilitymetrics in compromise values and/or compromise vulnerabilitiesdetermined for the visual elements, or modifying weights associated withvulnerability metrics and/or value metrics utilized in determiningcompromise values and/or compromise vulnerabilities determined for thevisual elements.